4c603d763a2b79e36492413ff788e1dd795bc09c67b2f4eccad5f339ebe44e89 (SHA256)
nstpeer.exe
Windows Exe (x86-32)
Created at 2018-11-01 09:56:00
Notifications (2/2)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: nstpeer.exe
273
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\nstpeer.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\nstpeer.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:45, Reason: Self Terminated |
| Monitor Duration | 00:02:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe28 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E2C
0x
E30
0x
E48
0x
E8C
0x
E90
0x
EA8
0x
EB0
0x
F48
0x
FD8
0x
FE8
0x
A48
0x
C90
0x
C94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00195fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00187fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00323fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00330fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00353fff | Pagefile Backed Memory | r |
|
|
|
- |
| user32.dll.mui | 0x00360000 | 0x00364fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f6fff | Private Memory | rwx |
|
|
|
- |
| nstpeer.exe | 0x00400000 | 0x0051efff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Private Memory | rw |
|
|
|
- |
| wdmaud.drv.mui | 0x006c0000 | 0x006c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x00a67fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x01ffffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02000000 | 0x02336fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002340000 | 0x02340000 | 0x023f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x0243ffff | Private Memory | rw |
|
|
|
- |
| hdaudio.pnf | 0x02440000 | 0x02457fff | Memory Mapped File | r |
|
|
|
- |
| mmdevapi.dll.mui | 0x02440000 | 0x02440fff | Memory Mapped File | r |
|
|
|
- |
| hdaudio.pnf | 0x02450000 | 0x02467fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x02451fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002480000 | 0x02480000 | 0x0287ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002880000 | 0x02880000 | 0x028fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x02880000 | 0x028f5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02bfffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x02c00000 | 0x03bfffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003c00000 | 0x03c00000 | 0x03cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d00000 | 0x03d00000 | 0x03dfffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03e00000 | 0x04e3ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x05331fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| midimap.dll | 0x73960000 | 0x73967fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x73970000 | 0x73987fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.drv | 0x73990000 | 0x73998fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x739a0000 | 0x73a64fff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x73a70000 | 0x73ad7fff | Memory Mapped File | rwx |
|
|
|
- |
| ksuser.dll | 0x73ae0000 | 0x73ae6fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x73af0000 | 0x73af8fff | Memory Mapped File | rwx |
|
|
|
- |
| wdmaud.drv | 0x73b00000 | 0x73b37fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x73b40000 | 0x73c81fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x73c90000 | 0x73ce3fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x73cd0000 | 0x73d76fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73cf0000 | 0x73d08fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x73d10000 | 0x73d3efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x73d40000 | 0x73d5afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x73d60000 | 0x73d72fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x73d80000 | 0x73f6ffff | Memory Mapped File | rwx |
|
|
|
- |
| dciman32.dll | 0x73f70000 | 0x73f76fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73f80000 | 0x73fa0fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73fb0000 | 0x74270fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x74280000 | 0x742b7fff | Memory Mapped File | rwx |
|
|
|
- |
| ddraw.dll | 0x742c0000 | 0x743aafff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x743b0000 | 0x743d2fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x743e0000 | 0x7454afff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x74550000 | 0x74557fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74560000 | 0x746bffff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x746c0000 | 0x74702fff | Memory Mapped File | rwx |
|
|
|
- |
| opengl32.dll | 0x74710000 | 0x747effff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x747f0000 | 0x7482afff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74830000 | 0x74853fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74860000 | 0x74a83fff | Memory Mapped File | rwx |
|
|
|
- |
| glu32.dll | 0x74a90000 | 0x74ab4fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x74ac0000 | 0x74b58fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74b60000 | 0x74bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75350000 | 0x753a2fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fe4d000 | 0x7fe4d000 | 0x7fe4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 71 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | 0.11 KB |
MD5:
6afb328a2dcc48343e0f9121f3cc8f23
SHA1: a6e1f8ef590b1ec7d1b4fbd49cb687ccf2a2956f SHA256: d09d895a8e60365092c3c0343815a77442caab9ac5b827a05fa8c874e882c180 SSDeep: 3:ZMvMZLK6OWRNfeUeDGWmngU64vHXMJATkUExMv1GWl+n:yUrRheiWkvvHXMJ2d/sWIn |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | 1.11 MB |
MD5:
cac6528c8599238058c70902d8699e11
SHA1: 4b562bb710833310a5619f2f4486d01880265fc1 SHA256: c88ddb4bc057412ffe3421a2de51dfc035b90467cb1720d9939dc8f5f467b60f SSDeep: 24576:sjgCLkNHOU+dS88agRuBvYS3EXiCOLIKmV5rw:sjgvfR/HdCmXE |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\nstpeer.exe | 1.11 MB |
MD5:
8ac61890b22ca596db61d0f74da67b5d
SHA1: 2132beb454eaffd9b970015dcaa7d73a989d53ed SHA256: 4c603d763a2b79e36492413ff788e1dd795bc09c67b2f4eccad5f339ebe44e89 SSDeep: 24576:PjgCLkNHOU+dS88agRuBvYS3EXiCOLIKmV5rw:PjgvfR/HdCmXE |
|
|
Host Behavior
COM (14)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 2087C2F4-2CEF-4953-A8AB-66779B670495 | 06F29373-5C5A-4B54-B025-6EF1BF8ABF0E | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | BCDE0395-E52F-467C-8E3D-C4579291692E | A95664D2-9614-4F35-A746-DE8DB63617E6 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
8 | |
| Create | 50B6327F-AFD1-11D2-9CB9-0000F87A369E | 5BB11929-AFD1-11D2-9CB9-0000F87A369E | cls_context = CLSCTX_INPROC_SERVER |
|
5 |
File (24)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nstpeer.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C | - |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\ |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\nstpeer.exe | type = size |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\nstpeer.exe | size = 1159168, size_out = 1159168 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | size = 4096 |
|
2 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | size = 1155072 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | size = 110 |
|
1 |
Registry (20)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 118, type = REG_SZ |
|
1 | |
| Write Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Install, size = 118, type = REG_BINARY |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77ca0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77290000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x76a90000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75260000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75430000 |
|
1 | |
| Load | ole32.dll | base_address = 0x768b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
4 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\nstpeer.exe | base_address = 0x400000 |
|
8 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
3 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77150000 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\nstpeer.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\nstpeer.exe, size = 260 |
|
3 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\nstpeer.exe | process_name = c:\users\ciihmnxmn6ps\desktop\nstpeer.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\nstpeer.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x77d0ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77d10010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x77d0e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77cf3010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77d0e7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x77cffcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x77cfaca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77d08d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77d08f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77d09d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77d08df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77d08cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77d08e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77d08e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77d08e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77d09080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x77cdb940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x77cee040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x77d0c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77d08e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x772acd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x772a6a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x772a80d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x772acd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x772b1db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x772b26c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x772a83a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x772a7c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x772b2900 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetClassDevsA, address_out = 0x76ab8d10 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x7527f4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75279640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x7527d940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75279950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x7529d410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x75286510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75272d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x7527e320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x75279f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x75285f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x75286410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x75286270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75277540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x752860d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x752857f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x7529d320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x752861d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x75286170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x75286130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x752860b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x75286380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x752a0960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x75286150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x7527db30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x7527a280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x7527ed00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7527c1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x7527f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x752a0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75283a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x7527efc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x75286140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x752a2a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x75286210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7527a040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75286360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x752a0a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75278b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75277610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75278c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x752747c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x75286530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x752863f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7717ea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x771831c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x77180980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7717ddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x771ccf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x76a32520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x76a30ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x76a30f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x76a30ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x76a331a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x76a30750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x76a33150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x76a2ee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76a2f000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x755c4370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x755c4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x756a7560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7716ba70 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, SEC_RESERVE, maximum_size = 4194304 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\desktop\nstpeer.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 |
Driver (1)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | STD_ERROR_HANDLE | control_code = 0x74080 |
|
1 |
Window (10)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = Check Box, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = SysListView32, wndproc_parameter = 0 |
|
1 | |
| Create | | class_name = , wndproc_parameter = 0 |
|
1 | |
| Create | | class_name = , wndproc_parameter = 0 |
|
2 | |
| Find | - | class_name = ProgMan |
|
1 | |
| Set Attribute | - | index = 4, new_long = 3346416 |
|
1 | |
| Set Attribute | - | index = 18446744073709551612, new_long = 3346400 |
|
1 | |
| Set Attribute | - | index = 18446744073709551612, new_long = 3346384 |
|
1 | |
| Set Attribute | - | index = 0, new_long = 0 |
|
1 |
Keyboard (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_RIGHT, result_out = 0 |
|
2 |
System (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 850, y_out = 596 |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
10 | |
| Get Time | type = System Time, time = 2018-11-01 09:57:32 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-01 09:57:37 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 138828 |
|
1 | |
| Get Time | type = Ticks, time = 241062 |
|
4 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #2: cmd.exe
254
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\nstpeer.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d4 |
| Parent PID | 0xe28 (c:\users\ciihmnxmn6ps\desktop\nstpeer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
274
0x
534
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000330000 | 0x00330000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x0033ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00353fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00373fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004f0000 | 0x005adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe.mui | 0x00810000 | 0x00830fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00960000 | 0x00c96fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x010f0000 | 0x0113ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001140000 | 0x01140000 | 0x0513ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74bf0000 | 0x74bf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f000000 | 0x7f000000 | 0x7f0fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f122fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f124000 | 0x7f124000 | 0x7f124fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f128000 | 0x7f128000 | 0x7f12afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f12b000 | 0x7f12b000 | 0x7f12dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f12e000 | 0x7f12e000 | 0x7f12efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (202)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
25 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C | type = file_attributes |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
88 | |
| Open | STD_INPUT_HANDLE | - |
|
7 | |
| Open | - | - |
|
12 | |
| Open | - | - |
|
13 | |
| Open | \??\C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat | desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Read | - | size = 8191, size_out = 110 |
|
1 | |
| Read | - | size = 8191, size_out = 99 |
|
1 | |
| Read | - | size = 8191, size_out = 66 |
|
1 | |
| Read | - | size = 8191, size_out = 50 |
|
1 | |
| Read | - | size = 8191, size_out = 19 |
|
1 | |
| Read | - | size = 8191, size_out = 6 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
8 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 4 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 103 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 13 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 10 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 33 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x898, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x10f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (24)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #4: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\nstpeer.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x898 |
| Parent PID | 0x8d4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
630
0x
A3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d00000 | 0x00d00000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x010f0000 | 0x0113ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001140000 | 0x01140000 | 0x0513ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05140000 | 0x051fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005490000 | 0x05490000 | 0x0549ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054a0000 | 0x057d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7e900000 | 0x7ec8ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007ec90000 | 0x7ec90000 | 0x7ed8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed90000 | 0x7ed90000 | 0x7edb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edb7000 | 0x7edb7000 | 0x7edb9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edba000 | 0x7edba000 | 0x7edbcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edbd000 | 0x7edbd000 | 0x7edbdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edbe000 | 0x7edbe000 | 0x7edbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe | os_pid = 0xbec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x10f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #5: autoclb.exe
304
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe |
| Command Line | "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\nstpeer.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbec |
| Parent PID | 0x898 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
278
0x
608
0x
718
0x
B68
0x
B40
0x
6B4
0x
4D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Private Memory | rw |
|
|
|
- |
| autoclb.exe | 0x00400000 | 0x0051efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00940fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00953fff | Pagefile Backed Memory | r |
|
|
|
- |
| user32.dll.mui | 0x00960000 | 0x00964fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00973fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00980fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00983fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x00998fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00990fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01e03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001df0000 | 0x01df0000 | 0x01df0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01df0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e00000 | 0x01e00000 | 0x01e00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e10000 | 0x01e10000 | 0x01e1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e20000 | 0x02156fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0222ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002160000 | 0x02160000 | 0x02217fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0222ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x02236fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002240000 | 0x02240000 | 0x02240fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x0265ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x026dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000026e0000 | 0x026e0000 | 0x0275ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x026e0fff | Private Memory | rw |
|
|
|
- |
| wdmaud.drv.mui | 0x026f0000 | 0x026f0fff | Memory Mapped File | r |
|
|
|
- |
| hdaudio.pnf | 0x02700000 | 0x02717fff | Memory Mapped File | r |
|
|
|
- |
| mmdevapi.dll.mui | 0x02700000 | 0x02700fff | Memory Mapped File | r |
|
|
|
- |
| hdaudio.pnf | 0x02710000 | 0x02727fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002710000 | 0x02710000 | 0x0274ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x02751fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x02970000 | 0x029e5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02aeffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x02af0000 | 0x03aeffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003af0000 | 0x03af0000 | 0x03beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003bf0000 | 0x03bf0000 | 0x03ceffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03cf0000 | 0x04d2ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x05221fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| midimap.dll | 0x73950000 | 0x73957fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x73960000 | 0x73977fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.drv | 0x73980000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x73990000 | 0x73a54fff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x73a60000 | 0x73ac7fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x73ad0000 | 0x73ad8fff | Memory Mapped File | rwx |
|
|
|
- |
| ksuser.dll | 0x73ae0000 | 0x73ae6fff | Memory Mapped File | rwx |
|
|
|
- |
| wdmaud.drv | 0x73af0000 | 0x73b27fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x73b30000 | 0x73c71fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x73c80000 | 0x73cd3fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x73cc0000 | 0x73d66fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73ce0000 | 0x73cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x73d00000 | 0x73d2efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x73d30000 | 0x73d4afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x73d50000 | 0x73d62fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x73d70000 | 0x73f5ffff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x73f60000 | 0x73f97fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73fa0000 | 0x73fc0fff | Memory Mapped File | rwx |
|
|
|
- |
| dciman32.dll | 0x73fd0000 | 0x73fd6fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73fe0000 | 0x742a0fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x742b0000 | 0x742d2fff | Memory Mapped File | rwx |
|
|
|
- |
| ddraw.dll | 0x742e0000 | 0x743cafff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x743d0000 | 0x743d7fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x743e0000 | 0x7453ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74540000 | 0x746aafff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x746b0000 | 0x746f2fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x74700000 | 0x7473afff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74740000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74770000 | 0x74993fff | Memory Mapped File | rwx |
|
|
|
- |
| glu32.dll | 0x749a0000 | 0x749c4fff | Memory Mapped File | rwx |
|
|
|
- |
| opengl32.dll | 0x749d0000 | 0x74aaffff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x74ab0000 | 0x74b48fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74b50000 | 0x74be1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75350000 | 0x753a2fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fb20000 | 0x7feaffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 55 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (14)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 2087C2F4-2CEF-4953-A8AB-66779B670495 | 06F29373-5C5A-4B54-B025-6EF1BF8ABF0E | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | BCDE0395-E52F-467C-8E3D-C4579291692E | A95664D2-9614-4F35-A746-DE8DB63617E6 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
8 | |
| Create | 50B6327F-AFD1-11D2-9CB9-0000F87A369E | 5BB11929-AFD1-11D2-9CB9-0000F87A369E | cls_context = CLSCTX_INPROC_SERVER |
|
5 |
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw | - |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Delete | C:\Users\CIIHMN~1\Desktop\nstpeer.exe | - |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\svchost.exe | os_pid = 0xd0c, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Suspend | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x4d8 |
|
1 | |
| Get Context | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x4d8 |
|
2 | |
| Set Context | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x4d8 |
|
1 | |
| Resume | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x4d8 |
|
2 |
Memory (5)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\system32\svchost.exe | address = 0x5d5f0c0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 97906876 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff673b43440, protection = PAGE_EXECUTE_READWRITE, size = 97908216 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff673b43000, protection = PAGE_EXECUTE_READ, size = 97908216 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x970000, size = 792 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x7ff673b43440, size = 4 |
|
1 |
Module (204)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77ca0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77290000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x76a90000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75260000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75430000 |
|
1 | |
| Load | ole32.dll | base_address = 0x768b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
5 | |
| Get Handle | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | base_address = 0x400000 |
|
8 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
19 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77150000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
3 | |
| Get Filename | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x77d0ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77d10010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x77d0e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77cf3010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77d0e7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x77cffcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x77cfaca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77d08d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77d08f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77d09d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77d08df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77d08cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77d08e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77d08e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77d08e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77d09080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x77cdb940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x77cee040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x77d0c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77d08e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x772acd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x772a6a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x772a80d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x772acd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x772b1db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x772b26c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x772a83a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x772a7c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x772b2900 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetClassDevsA, address_out = 0x76ab8d10 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x7527f4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75279640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x7527d940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75279950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x7529d410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x75286510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75272d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x7527e320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x75279f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x75285f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x75286410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x75286270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75277540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x752860d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x752857f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x7529d320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x752861d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x75286170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x75286130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x752860b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x75286380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x752a0960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x75286150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x7527db30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x7527a280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x7527ed00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7527c1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x7527f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x752a0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75283a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x7527efc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x75286140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x752a2a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x75286210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7527a040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75286360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x752a0a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75278b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75277610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75278c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x752747c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x75286530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x752863f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7717ea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x771831c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x77180980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7717ddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x771ccf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x76a32520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x76a30ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x76a30f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x76a30ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x76a331a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x76a30750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x76a33150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x76a2ee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76a2f000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x755c4370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x755c4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x756a7560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7716ba70 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64EnableWow64FsRedirection, address_out = 0x7529b6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64QueryInformationProcess64, address_out = 0x77d0a840 |
|
15 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64ReadVirtualMemory64, address_out = 0x77d0a860 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, SEC_RESERVE, maximum_size = 4194304 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 97908184 |
|
1 | |
| Map | - | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 | |
| Map | - | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6270000 |
|
1 | |
| Map | - | process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x830000 |
|
1 |
Driver (1)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | STD_ERROR_HANDLE | control_code = 0x74080 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = Check Box, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = SysListView32, wndproc_parameter = 0 |
|
1 | |
| Create | | class_name = , wndproc_parameter = 0 |
|
1 | |
| Create | | class_name = , wndproc_parameter = 0 |
|
2 | |
| Find | - | class_name = ProgMan |
|
2 | |
| Set Attribute | - | index = 4, new_long = 9703408 |
|
1 | |
| Set Attribute | - | index = 18446744073709551612, new_long = 9703392 |
|
1 | |
| Set Attribute | - | index = 18446744073709551612, new_long = 9703376 |
|
1 | |
| Set Attribute | - | index = 0, new_long = 0 |
|
1 |
Keyboard (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_RIGHT, result_out = 0 |
|
2 |
System (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 726, y_out = 383 |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
10 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-01 09:59:28 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-01 09:59:30 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 249734 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #6: svchost.exe
314
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0xbec (c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F4
0x
BAC
0x
594
0x
4FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000830000 | 0x00830000 | 0x00962fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00970fff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007f9fa000 | 0x7f9fa000 | 0x7f9fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000affc830000 | 0xaffc830000 | 0xaffc84ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000affc830000 | 0xaffc830000 | 0xaffc83ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xaffc840000 | 0xaffc840fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000affc850000 | 0xaffc850000 | 0xaffc863fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000affc870000 | 0xaffc870000 | 0xaffc8effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000affc8f0000 | 0xaffc8f0000 | 0xaffc8f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000affc900000 | 0xaffc900000 | 0xaffc900fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000affc910000 | 0xaffc910000 | 0xaffc911fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xaffc920000 | 0xaffc9ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000affc9e0000 | 0xaffc9e0000 | 0xaffc9e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000affc9f0000 | 0xaffc9f0000 | 0xaffc9f0fff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0xaffca00000 | 0xaffca01fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000affca10000 | 0xaffca10000 | 0xaffca16fff | Private Memory | rw |
|
|
|
- |
| private_0x000000affca20000 | 0xaffca20000 | 0xaffca9ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0xaffcaa0000 | 0xaffcad3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000affcb00000 | 0xaffcb00000 | 0xaffcbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affcc00000 | 0xaffcc00000 | 0xaffcc6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000affcc70000 | 0xaffcc70000 | 0xaffce6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affcd00000 | 0xaffcd00000 | 0xaffcdfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000affce00000 | 0xaffce00000 | 0xaffcf87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000affcf90000 | 0xaffcf90000 | 0xaffd110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000affd120000 | 0xaffd120000 | 0xaffe51ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000affe520000 | 0xaffe520000 | 0xaffe5dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000affe5e0000 | 0xaffe5e0000 | 0xaffe7dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affe600000 | 0xaffe600000 | 0xaffe6fffff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0xaffe700000 | 0xaffe7bcfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000affe700000 | 0xaffe700000 | 0xaffe82cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000affe830000 | 0xaffe830000 | 0xaffea2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affe900000 | 0xaffe900000 | 0xaffe9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affea00000 | 0xaffea00000 | 0xaffebfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affea00000 | 0xaffea00000 | 0xaffeafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affeb00000 | 0xaffeb00000 | 0xaffecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affeb00000 | 0xaffeb00000 | 0xaffebfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affec00000 | 0xaffec00000 | 0xaffedfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000affec00000 | 0xaffec00000 | 0xaffecfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xaffed00000 | 0xafff036fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000afff040000 | 0xafff040000 | 0xafff172fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x00007df5ff1e0000 | 0x7df5ff1e0000 | 0x7ff5ff1dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff672e00000 | 0x7ff672e00000 | 0x7ff672efffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff672f00000 | 0x7ff672f00000 | 0x7ff672f22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff672f24000 | 0x7ff672f24000 | 0x7ff672f24fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f2c000 | 0x7ff672f2c000 | 0x7ff672f2dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f2e000 | 0x7ff672f2e000 | 0x7ff672f2ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8d5170000 | 0x7ff8d5219fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x7ff8d5220000 | 0x7ff8d523bfff | Memory Mapped File | rwx |
|
|
|
- |
| avifil32.dll | 0x7ff8d5240000 | 0x7ff8d525ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x7ff8d64c0000 | 0x7ff8d64e8fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x7ff8db910000 | 0x7ff8db93bfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x7ff8db940000 | 0x7ff8db962fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ff8ee240000 | 0x7ff8ee247fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #5: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | 0x4d8 | address = 0x830000, size = 1257472 |
|
1 | |
| Modify Memory | #5: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | 0x4d8 | address = 0x970000, size = 792 |
|
1 | |
| Modify Control Flow | #5: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | 0x4d8 | os_tid = 0xf4, address = 0x72f24000 |
|
1 | |
| Modify Memory | #5: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | 0x4d8 | address = 0x7ff673b43440, size = 4 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSTEM32\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Read | C:\Windows\SYSTEM32\ntdll.dll | size = 4, size_out = 4 |
|
3 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Scr, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, size = 40, type = REG_BINARY |
|
1 |
Process (35)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
34 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\windows\explorer.exe | proc_address = 0x7ff8ee389fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x8e8 |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x8e8 |
|
2 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x8e8 |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x8e8 |
|
2 |
Memory (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\windows\explorer.exe | address = 0xaffc8ef040, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 755856502856 |
|
1 | |
| Protect | c:\windows\explorer.exe | address = 0x7ff8ee389fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 |
|
2 | |
| Protect | c:\windows\explorer.exe | address = 0x7ff8ee389fa0, protection = PAGE_EXECUTE_READ, size = 4 |
|
2 | |
| Read | c:\windows\explorer.exe | address = 0x7ff8ee389fa0, size = 4 |
|
1 | |
| Write | c:\windows\explorer.exe | address = 0x7ff8ee389fa0, size = 4 |
|
2 | |
| Write | c:\windows\explorer.exe | address = 0xf80000, size = 792 |
|
1 |
Module (227)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7ff8ee190000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7ff8edfe0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7ff8ebdc0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7ff8ee240000 |
|
1 | |
| Get Handle | c:\windows\system32\svchost.exe | base_address = 0x7ff673b40000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
5 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff8ee380000 |
|
4 | |
| Get Handle | c:\windows\system32\kernelbase.dll | base_address = 0x7ff8eb870000 |
|
1 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7ff8ee190000 |
|
2 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 |
|
2 | |
| Get Filename | c:\windows\system32\ntdll.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
3 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0xaffc8efeb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ff8ee1ad610 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrRChrA, address_out = 0x7ff8edff4dd0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x7ff8ebde2610 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyA, address_out = 0x7ff8ee1ab9e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ff8ee1a7dd0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ff8ee1a72e0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrToIntExA, address_out = 0x7ff8edff4e70 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrChrA, address_out = 0x7ff8edff4cc0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrTrimA, address_out = 0x7ff8edff4e80 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ff8ee1bec40 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModules, address_out = 0x7ff8ee241040 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIW, address_out = 0x7ff8edfeb260 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetShellWindow, address_out = 0x7ff8ebde4060 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7ff8ebdd4040 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlExitUserThread, address_out = 0x7ff8ee389fa0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyA, address_out = 0x7ff8ee1d6dc0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ff8ee1ada40 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExA, address_out = 0x7ff8ee192680 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ff8ee1a7d70 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 755856504288 |
|
1 | |
| Map | - | process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xafff040000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6260000 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | - |
|
1 | |
| Get Computer Name | result_out = LHNIWSJ |
|
2 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 258031 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {02F1C55C-79FC-84FB-1356-BDF8F7EA41AC} |
|
1 |
Process #7: explorer.exe
1247
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:58, Reason: Injection |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x508 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C5C
0x
6A8
0x
C88
0x
90C
0x
960
0x
7C8
0x
7E8
0x
95C
0x
974
0x
46C
0x
BE0
0x
BDC
0x
A98
0x
A94
0x
A18
0x
970
0x
964
0x
950
0x
948
0x
930
0x
92C
0x
8FC
0x
8F8
0x
8F4
0x
8F0
0x
8A4
0x
878
0x
86C
0x
848
0x
840
0x
830
0x
82C
0x
810
0x
80C
0x
804
0x
478
0x
5B4
0x
5E8
0x
55C
0x
8E8
0x
610
0x
4DC
0x
DF4
0x
D30
0x
91C
0x
5F0
0x
E1C
0x
DCC
0x
E18
0x
DC8
0x
32C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00df3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00eb0000 | 0x00f6dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f91fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00fa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb1fff | Pagefile Backed Memory | r |
|
|
|
- |
| wscui.cpl.mui | 0x00fd0000 | 0x00fe1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff6fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x01000000 | 0x01007fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01010fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x01030fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x01040fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01050fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x01070000 | 0x01073fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x01080000 | 0x01092fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011a0000 | 0x011a0000 | 0x011a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x0122ffff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000034.db | 0x01230000 | 0x0124dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001250000 | 0x01250000 | 0x01252fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001270000 | 0x01270000 | 0x01272fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x012a9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000012b0000 | 0x012b0000 | 0x012b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000012d0000 | 0x012d0000 | 0x01457fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001460000 | 0x01460000 | 0x015e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000015f0000 | 0x015f0000 | 0x029effff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x029f0000 | 0x02d26fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x02eb0000 | 0x02f10fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x02f20000 | 0x02ffefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x0307ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x030fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x0317ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003180000 | 0x03180000 | 0x03181fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x03190000 | 0x03191fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x031a0000 | 0x031a4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000031b0000 | 0x031b0000 | 0x03267fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003270000 | 0x03270000 | 0x03273fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003280000 | 0x03280000 | 0x0337ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x0347ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003480000 | 0x03480000 | 0x03480fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03490000 | 0x044cffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x044d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x044e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x04500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x04591fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x045a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x045d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x045e0000 | 0x045e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004600000 | 0x04600000 | 0x04600fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x04610fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004620000 | 0x04620000 | 0x04622fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004630000 | 0x04630000 | 0x04668fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04672fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x04680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x04690fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x0471ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x0479ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x047a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x047b0000 | 0x047b3fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x047c0000 | 0x04802fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x04810000 | 0x04813fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x04820000 | 0x048aafff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x048b0000 | 0x048c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x050d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x050e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005170000 | 0x05170000 | 0x05171fff | Pagefile Backed Memory | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x05180000 | 0x0519bfff | Memory Mapped File | r |
|
|
|
- |
| hcproviders.dll.mui | 0x051a0000 | 0x051a1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000051e0000 | 0x051e0000 | 0x051effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051f0000 | 0x051f0000 | 0x051f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005200000 | 0x05200000 | 0x05200fff | Pagefile Backed Memory | rw |
|
|
|
- |
| actioncenter.dll.mui | 0x05210000 | 0x0521afff | Memory Mapped File | r |
|
|
|
- |
| windows.storage.dll.mui | 0x05240000 | 0x05247fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005250000 | 0x05250000 | 0x05252fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x05470000 | 0x05474fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x05480000 | 0x0548ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005510000 | 0x05510000 | 0x05510fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x05520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005530000 | 0x05530000 | 0x05530fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x055bffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x055c0000 | 0x055c2fff | Memory Mapped File | r |
|
|
|
- |
| counters.dat | 0x055e0000 | 0x055e0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000055f0000 | 0x055f0000 | 0x05deffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000005df0000 | 0x05df0000 | 0x05df2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005e00000 | 0x05e00000 | 0x05e00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005e10000 | 0x05e10000 | 0x05e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005e20000 | 0x05e20000 | 0x05e20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e30000 | 0x05e30000 | 0x05e38fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e40000 | 0x05e40000 | 0x05e43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005e50000 | 0x05e50000 | 0x05e50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005e70000 | 0x05e70000 | 0x05e78fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e80000 | 0x05e80000 | 0x05e80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005f10000 | 0x05f10000 | 0x05f1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000005f20000 | 0x05f20000 | 0x05f2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000005f30000 | 0x05f30000 | 0x05f3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005f90000 | 0x05f90000 | 0x0608ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006090000 | 0x06090000 | 0x06092fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000060f0000 | 0x060f0000 | 0x06137fff | Private Memory | rw |
|
|
|
- |
| stobject.dll.mui | 0x06170000 | 0x06171fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006180000 | 0x06180000 | 0x061ebfff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x06210000 | 0x06210fff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0x06220000 | 0x06251fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006400000 | 0x06400000 | 0x06447fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006450000 | 0x06450000 | 0x064cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006560000 | 0x06560000 | 0x06561fff | Pagefile Backed Memory | r |
|
|
|
- |
| grooveintlresource.dll | 0x06570000 | 0x06df2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000006e00000 | 0x06e00000 | 0x06e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f10000 | 0x06f10000 | 0x06f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f90000 | 0x06f90000 | 0x06fd8fff | Private Memory | rw |
|
|
|
- |
| appdb.dat | 0x06fe0000 | 0x09361fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000009370000 | 0x09370000 | 0x093effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000095f0000 | 0x095f0000 | 0x097effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000097f0000 | 0x097f0000 | 0x0986ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000009a70000 | 0x09a70000 | 0x09a72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000009a80000 | 0x09a80000 | 0x09b7ffff | Private Memory | rw |
|
|
|
- |
| pnidui.dll.mui | 0x09b80000 | 0x09b81fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000009b90000 | 0x09b90000 | 0x09b92fff | Pagefile Backed Memory | r |
|
|
|
- |
| bthprops.cpl.mui | 0x09ba0000 | 0x09ba3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000009bb0000 | 0x09bb0000 | 0x09bb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000009be0000 | 0x09be0000 | 0x09be0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000009c00000 | 0x09c00000 | 0x09c02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000009c30000 | 0x09c30000 | 0x09c44fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009d10000 | 0x09d10000 | 0x09d8ffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 326 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #6: c:\windows\system32\svchost.exe | 0xf4 | address = 0x7ff8ee389fa0 |
|
1 | |
| Modify Memory | #6: c:\windows\system32\svchost.exe | 0xf4 | address = 0x7ff8ee389fa0, size = 4 |
|
2 | |
| Modify Memory | #6: c:\windows\system32\svchost.exe | 0xf4 | address = 0x6260000, size = 1257472 |
|
1 | |
| Modify Memory | #6: c:\windows\system32\svchost.exe | 0xf4 | address = 0xf80000, size = 792 |
|
1 | |
| Modify Control Flow | #6: c:\windows\system32\svchost.exe | 0xf4 | os_tid = 0x8e8, address = 0x0 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | \device\namedpipe\{072bb6f5-baec-d114-fc2b-8e95f08fa299} | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 |
|
1 |
Registry (320)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Install, type = REG_BINARY |
|
2 | |
| Read Value | CurVer | type = REG_NONE |
|
14 | |
| Read Value | Clsid | type = REG_NONE |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, type = REG_NONE |
|
1 | |
| Read Value | ShellEx\LibraryDescriptionHandler | type = REG_NONE |
|
38 | |
| Read Value | - | value_name = .ods, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = Content Type, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.ods | value_name = PerceivedType, type = REG_NONE |
|
7 | |
| Read Value | Clsid | type = REG_NONE |
|
5 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\SystemPropertyHandlers | value_name = .ods, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.ods | type = REG_NONE |
|
1 | |
| Read Value | ShellEx\PropertyHandler | type = REG_NONE |
|
4 | |
| Read Value | ShellEx\{973810AE-9599-4B88-9E4D-6EE98C9552DA} | type = REG_NONE |
|
7 | |
| Read Value | HKEY_CLASSES_ROOT\.ods | type = REG_NONE |
|
1 | |
| Read Value | command | value_name = DelegateExecute, type = REG_NONE |
|
1 | |
| Read Value | ShellEx\{000214F9-0000-0000-C000-000000000046} | type = REG_NONE |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | value_name = DisplayVersion, type = REG_NONE |
|
8 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = PaintDesktopVersion, type = REG_NONE |
|
8 | |
| Read Value | - | type = REG_NONE |
|
6 | |
| Read Value | TreatAs | type = REG_NONE |
|
9 | |
| Read Value | - | - |
|
1 | |
| Read Value | - | value_name = InprocServer32 |
|
8 | |
| Read Value | - | data = 0 |
|
16 | |
| Read Value | - | data = C:\Windows\system32\dataexchange.dll |
|
1 | |
| Read Value | - | value_name = ThreadingModel, data = Both |
|
7 | |
| Read Value | InprocHandler32 | - |
|
9 | |
| Read Value | InprocHandler | - |
|
9 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search | value_name = UseApp |
|
9 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search | value_name = SearchboxTaskbarMode, type = REG_NONE |
|
9 | |
| Read Value | - | data = Connected Account Services |
|
1 | |
| Read Value | - | data = C:\Windows\system32\SettingSyncCore.dll |
|
1 | |
| Read Value | - | value_name = ActivationType, type = REG_NONE |
|
2 | |
| Read Value | - | value_name = Threading, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = TrustLevel, type = REG_NONE |
|
2 | |
| Read Value | - | value_name = ActivateAsUser, type = REG_NONE |
|
1 | |
| Read Value | - | data = Authentication UI Legacy Shutdown Dialog |
|
1 | |
| Read Value | - | data = C:\Windows\system32\shutdownux.dll |
|
1 | |
| Read Value | - | value_name = ThreadingModel, data = Apartment |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TokenBroker\DefaultAccount | value_name = providerId, type = REG_NONE |
|
3 | |
| Read Value | - | data = Identity Store |
|
1 | |
| Read Value | - | data = C:\Windows\System32\IDStore.dll |
|
2 | |
| Read Value | - | data = Connected User Store |
|
1 | |
| Read Value | - | value_name = Reason Setting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoDisconnect |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoDisconnect |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoLogoff |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoLogoff |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings | value_name = ShowHibernateOption |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings | value_name = ShowSleepOption |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU | value_name = NoAUShutdownOption |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU | value_name = NoAUShutdownOption |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU | value_name = NoAUAsDefaultShutdownOption |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU | value_name = NoAUAsDefaultShutdownOption |
|
1 | |
| Read Value | W32:000000000004022C | value_name = VirtualDesktop, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.flv | value_name = PerceivedType, type = REG_NONE |
|
4 | |
| Read Value | HKEY_CLASSES_ROOT\SystemFileAssociations\.flv | value_name = PerceivedType, type = REG_NONE |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GameDVR | value_name = VKToggleGameBar, type = REG_NONE |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\.flv | type = REG_NONE |
|
1 | |
| Read Value | - | value_name = Hidden, data = 0 |
|
1 | |
| Read Value | FileAssociations | value_name = .flv, type = REG_NONE |
|
22 | |
| Read Value | - | value_name = Hidden |
|
21 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = AutoColorization |
|
1 | |
| Read Value | - | data = ShellWindows |
|
1 | |
| Read Value | - | data = PSOAInterface |
|
1 | |
| Read Value | - | data = C:\Windows\System32\oleaut32.dll |
|
2 | |
| Read Value | - | type = REG_NONE |
|
6 | |
| Read Value | - | data = PSDispatch |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Launcher | value_name = AllowAutoAppRestartOnCrash |
|
2 | |
| Read Value | - | data = Memory Mapped Cache Mgr |
|
1 | |
| Read Value | - | data = C:\Windows\system32\propsys.dll |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender | value_name = DisableAntiSpyware, type = REG_NONE |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection | value_name = DisableRealtimeMonitoring, type = REG_NONE |
|
2 | |
| Read Value | - | value_name = Threading, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = ActivateAsUser, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, size = 8, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 118, type = REG_SZ |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Get Key Info | - | - |
|
1 | |
| Get Key Info | - | - |
|
1 |
Process (647)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
647 |
Module (239)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7ff8ee190000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7ff8edfe0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7ff8ebdc0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7ff8ee240000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ff8ec300000 |
|
1 | |
| Load | ADVAPI32.DLL | base_address = 0x7ff8ee190000 |
|
1 | |
| Get Handle | Unknown module name | base_address = 0x7ff79fdc0000 |
|
1 | |
| Get Handle | KERNEL32.DLL | base_address = 0x7ff8ee2d0000 |
|
5 | |
| Get Handle | NTDLL.DLL | base_address = 0x7ff8ee380000 |
|
2 | |
| Get Handle | kernelbase | base_address = 0x7ff8eb870000 |
|
2 | |
| Get Handle | ADVAPI32.DLL | base_address = 0x7ff8ee190000 |
|
3 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
2 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0x307fa60 |
|
1 | |
| Get Address | Unknown module name | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 | |
| Get Address | Unknown module name | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ff8ee1ad610 |
|
1 | |
| Get Address | Unknown module name | function = StrRChrA, address_out = 0x7ff8edff4dd0 |
|
1 | |
| Get Address | Unknown module name | function = wsprintfA, address_out = 0x7ff8ebde2610 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyA, address_out = 0x7ff8ee1ab9e0 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7ff8ee1a7dd0 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7ff8ee1a72e0 |
|
1 | |
| Get Address | Unknown module name | function = StrToIntExA, address_out = 0x7ff8edff4e70 |
|
1 | |
| Get Address | Unknown module name | function = StrChrA, address_out = 0x7ff8edff4cc0 |
|
1 | |
| Get Address | Unknown module name | function = StrTrimA, address_out = 0x7ff8edff4e80 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7ff8ee1bec40 |
|
1 | |
| Get Address | Unknown module name | function = EnumProcessModules, address_out = 0x7ff8ee241040 |
|
1 | |
| Get Address | Unknown module name | function = StrStrIW, address_out = 0x7ff8edfeb260 |
|
1 | |
| Get Address | Unknown module name | function = RegEnumValueW, address_out = 0x7ff8ee1a7220 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExA, address_out = 0x7ff8ee192680 |
|
1 | |
| Get Address | Unknown module name | function = RegCreateKeyA, address_out = 0x7ff8ee1d6dc0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExA, address_out = 0x7ff8ee1a7d70 |
|
1 | |
| Get Address | Unknown module name | function = CreateStreamOnHGlobal, address_out = 0x7ff8edd870a0 |
|
1 | |
| Get Address | Unknown module name | function = PathFindFileNameA, address_out = 0x7ff8edfecf30 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowsHookExA, address_out = 0x7ff8ebdc27a0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterClassA, address_out = 0x7ff8ebde1310 |
|
1 | |
| Get Address | Unknown module name | function = CreateWindowExA, address_out = 0x7ff8ebde4df0 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowLongPtrA, address_out = 0x7ff8ebdccae0 |
|
1 | |
| Get Address | Unknown module name | function = DefWindowProcA, address_out = 0x7ff8ee413230 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowLongPtrA, address_out = 0x7ff8ebdd61f0 |
|
1 | |
| Get Address | Unknown module name | function = GetMessageA, address_out = 0x7ff8ebddaa50 |
|
1 | |
| Get Address | Unknown module name | function = TranslateMessage, address_out = 0x7ff8ebdd36a0 |
|
1 | |
| Get Address | Unknown module name | function = DispatchMessageA, address_out = 0x7ff8ebde61e0 |
|
1 | |
| Get Address | Unknown module name | function = SetClipboardViewer, address_out = 0x7ff8ebdf0de0 |
|
1 | |
| Get Address | Unknown module name | function = PostMessageA, address_out = 0x7ff8ebde4900 |
|
1 | |
| Get Address | Unknown module name | function = OpenClipboard, address_out = 0x7ff8ebdeb6c0 |
|
1 | |
| Get Address | Unknown module name | function = GetClipboardData, address_out = 0x7ff8ebdeaba0 |
|
1 | |
| Get Address | Unknown module name | function = CloseClipboard, address_out = 0x7ff8ebdf0920 |
|
1 | |
| Get Address | Unknown module name | function = StrCmpIW, address_out = 0x7ff8edfebe50 |
|
1 | |
| Get Address | Unknown module name | function = CallNextHookEx, address_out = 0x7ff8ebdd52d0 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExW, address_out = 0x7ff8ee1a7850 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = {91EA4745-0FE0-01BF-4912-8D6663144788}, wndproc_parameter = 103577728 |
|
1 | |
| Create | - | class_name = {E697FB69-8DB4-DD83-AD06-319A67288BDC}, wndproc_parameter = 103577360 |
|
1 |
System (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Clipboard | format = 1 |
|
1 | |
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = Ticks, time = 259281 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-01 09:59:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 259890 |
|
2 | |
| Register Hook | type = WH_KEYBOARD_LL, hookproc_address = 0x629045c |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {CEF02F91-D541-3029-CFE2-D96473361DD8} |
|
1 | |
| Create | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} |
|
1 | |
| Create | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} |
|
1 | |
| Create | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 |
Process #8: autoclb.exe
298
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:08, Reason: Autostart |
| Unmonitor | End Time: 00:04:22, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x478 |
| Parent PID | 0x568 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
750
0x
518
0x
2D8
0x
538
0x
A08
0x
9F4
0x
40
0x
B00
0x
0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00163fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00191fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00184fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002f0000 | 0x003adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Private Memory | rw |
|
|
|
- |
| autoclb.exe | 0x00400000 | 0x0051efff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x00a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x01e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x01ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x01ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| user32.dll.mui | 0x01eb0000 | 0x01eb4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01f50000 | 0x02286fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x0242ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x0238ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002290000 | 0x02290000 | 0x02347fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x02353fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002360000 | 0x02360000 | 0x02360fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002360000 | 0x02360000 | 0x02364fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x02376fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x0238ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x0240ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x02390000 | 0x02405fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x02410fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x0242ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002430000 | 0x02430000 | 0x0282ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x02aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02baffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x02bb0000 | 0x03baffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003bb0000 | 0x03bb0000 | 0x03caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cb0000 | 0x03cb0000 | 0x03daffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03db0000 | 0x04deffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004df0000 | 0x04df0000 | 0x052e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x052f0fff | Private Memory | rw |
|
|
|
- |
| wdmaud.drv.mui | 0x05300000 | 0x05300fff | Memory Mapped File | r |
|
|
|
- |
| hdaudio.pnf | 0x05310000 | 0x05327fff | Memory Mapped File | r |
|
|
|
- |
| mmdevapi.dll.mui | 0x05310000 | 0x05310fff | Memory Mapped File | r |
|
|
|
- |
| hdaudio.pnf | 0x05320000 | 0x05337fff | Memory Mapped File | r |
|
|
|
- |
| midimap.dll | 0x73310000 | 0x73317fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x73320000 | 0x73337fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.drv | 0x73340000 | 0x73348fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x73350000 | 0x73414fff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x73420000 | 0x73487fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x73490000 | 0x73498fff | Memory Mapped File | rwx |
|
|
|
- |
| ksuser.dll | 0x734a0000 | 0x734a6fff | Memory Mapped File | rwx |
|
|
|
- |
| wdmaud.drv | 0x734b0000 | 0x734e7fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x734f0000 | 0x73631fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x73640000 | 0x73693fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x73680000 | 0x73726fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x736a0000 | 0x736b8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x736c0000 | 0x736eefff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x736f0000 | 0x7370afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x73710000 | 0x73722fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x73730000 | 0x7391ffff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x73920000 | 0x7393cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x73940000 | 0x739b4fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x739c0000 | 0x739e0fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x739f0000 | 0x73cb0fff | Memory Mapped File | rwx |
|
|
|
- |
| dciman32.dll | 0x73cc0000 | 0x73cc6fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x73cd0000 | 0x73d07fff | Memory Mapped File | rwx |
|
|
|
- |
| ddraw.dll | 0x73d10000 | 0x73dfafff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x73e00000 | 0x73e22fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x73e30000 | 0x73f8ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x73f90000 | 0x740fafff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x74100000 | 0x74142fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74150000 | 0x74373fff | Memory Mapped File | rwx |
|
|
|
- |
| opengl32.dll | 0x74380000 | 0x7445ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x74460000 | 0x7581efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x75820000 | 0x75827fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x75830000 | 0x758a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x758b0000 | 0x758fefff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x75900000 | 0x75907fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x75910000 | 0x7594afff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x75950000 | 0x75973fff | Memory Mapped File | rwx |
|
|
|
- |
| glu32.dll | 0x75980000 | 0x759a4fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x759b0000 | 0x75a48fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75a50000 | 0x75ae1fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x75af0000 | 0x75b80fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x75b90000 | 0x75be8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75bf0000 | 0x75bf9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75c00000 | 0x75c1dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75c70000 | 0x75ca5fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75cc0000 | 0x75e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75e10000 | 0x75e62fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75e70000 | 0x75e9afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x75ea0000 | 0x75eabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75eb0000 | 0x75f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fa0000 | 0x75fe2fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75ff0000 | 0x760d9fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x760e0000 | 0x7621ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76220000 | 0x762cbfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x76330000 | 0x763edfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x763f0000 | 0x76433fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x76440000 | 0x764ccfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x764d0000 | 0x76689fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x768d0000 | 0x7698dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76990000 | 0x76b05fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76b10000 | 0x76b53fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76bd0000 | 0x770acfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x770b0000 | 0x771cffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77250000 | 0x772e1fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x772f0000 | 0x772fefff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77620000 | 0x7769afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x776a0000 | 0x77721fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77730000 | 0x778a8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fe4d000 | 0x7fe4d000 | 0x7fe4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fff1f8fffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7fff1f900000 | 0x7fff1fac1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007fff1fac2000 | 0x7fff1fac2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 56 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (14)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 2087C2F4-2CEF-4953-A8AB-66779B670495 | 06F29373-5C5A-4B54-B025-6EF1BF8ABF0E | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | BCDE0395-E52F-467C-8E3D-C4579291692E | A95664D2-9614-4F35-A746-DE8DB63617E6 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
8 | |
| Create | 50B6327F-AFD1-11D2-9CB9-0000F87A369E | 5BB11929-AFD1-11D2-9CB9-0000F87A369E | cls_context = CLSCTX_INPROC_SERVER |
|
5 |
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw | - |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\svchost.exe | os_pid = 0xaf4, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Suspend | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0xb00 |
|
1 | |
| Get Context | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0xb00 |
|
2 | |
| Set Context | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0xb00 |
|
1 | |
| Resume | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0xb00 |
|
2 |
Memory (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff6e3233440, protection = PAGE_EXECUTE_READWRITE, size = 99284472 |
|
2 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff6e3233000, protection = PAGE_EXECUTE_READ, size = 99284472 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x7ff6e3233440, size = 4 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x760000, size = 792 |
|
1 |
Module (201)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77730000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b10000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x77470000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75eb0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x760e0000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77620000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x74460000 |
|
1 | |
| Load | ole32.dll | base_address = 0x75ff0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75eb0000 |
|
4 | |
| Get Handle | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | base_address = 0x400000 |
|
7 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77730000 |
|
19 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x77620000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x760e0000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75eca330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ec7580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ec9910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ecf400 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x7779ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x777a0010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x7779e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77783010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x7779e7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x7778fcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x7778aca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77798d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77798f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77799d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77798df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77798cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77798e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77798e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77798e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77799080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7776b940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x7777e040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x7779c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77798e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x76b2cd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x76b26a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x76b280d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x76b2cd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x76b31db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x76b326c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x76b283a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x76b27c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x76b32900 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x774c19a0 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetClassDevsA, address_out = 0x77498d10 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiEnumDeviceInfo, address_out = 0x77485620 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiDestroyDeviceInfoList, address_out = 0x77485340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ec25e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x75ecf4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ed74f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75ec9640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75eca4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77792570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75ed5f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ec9700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x75ecd940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75ec9950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75ed60c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x75eed410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x75ed6510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75ec2d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x75ece320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x75ec9f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75ed64f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x75ed5f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75ed62a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x75ed6410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ec2db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x75ed6270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7776da90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75ec7540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ec7940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x75ed60d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x75ed57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x75eed320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x75ed61d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x75ed6170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x75ed6130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x75ed60b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75ed6590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x75ed6380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x75ef0960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x75ed6150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75ed61b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75ed6180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x75ecdb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x75eca280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x75eced00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x75ecc1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x75ecf7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ec87c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x75ef0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ec77b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75ed3a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x75ecefc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75ed6110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75ed64a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ecc8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x75ed6140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x75ef2a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x75ed6210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x75eca040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ec9560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75ed6360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ec92b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x75ef0a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75ec8b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75ec7610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75ec8c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ec2af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75ec1d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75eca300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x75ec47c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x75ed6530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x75ed63f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7610ea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x761131c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x76110980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7610ddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x7615cf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7763ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x77642520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7763f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x77640ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7766bda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7763f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x77640f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x77640ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7763ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x776431a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x77640750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x77643150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7763ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7763efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x7763ee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7763f000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x745f4370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x745f4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x746d7560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x7653dca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x7653cd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ec96e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x760fba70 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64EnableWow64FsRedirection, address_out = 0x75eeb6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64QueryInformationProcess64, address_out = 0x7779a840 |
|
15 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64ReadVirtualMemory64, address_out = 0x7779a860 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, SEC_RESERVE, maximum_size = 4194304 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 99284440 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2830000 |
|
1 | |
| Map | - | process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x620000 |
|
1 |
Driver (1)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | STD_ERROR_HANDLE | control_code = 0x74080 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = Check Box, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = SysListView32, wndproc_parameter = 0 |
|
1 | |
| Create | | class_name = , wndproc_parameter = 0 |
|
1 | |
| Create | | class_name = , wndproc_parameter = 0 |
|
2 | |
| Find | - | class_name = ProgMan |
|
2 | |
| Set Attribute | - | index = 4, new_long = 11014128 |
|
1 | |
| Set Attribute | - | index = 18446744073709551612, new_long = 11014112 |
|
1 | |
| Set Attribute | - | index = 18446744073709551612, new_long = 11014096 |
|
1 | |
| Set Attribute | - | index = 0, new_long = 0 |
|
1 |
Keyboard (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_RIGHT, result_out = 0 |
|
2 |
System (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 1437, y_out = 686 |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
10 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-10-31 23:00:54 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-10-31 23:00:56 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 58046 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #9: svchost.exe
307
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:20, Reason: Child Process |
| Unmonitor | End Time: 00:04:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaf4 |
| Parent PID | 0x478 (c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A14
0x
790
0x
7B0
0x
798
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000620000 | 0x00620000 | 0x00752fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00760fff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007fa2a000 | 0x7fa2a000 | 0x7fa2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ba9e620000 | 0xba9e620000 | 0xba9e63ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba9e620000 | 0xba9e620000 | 0xba9e62ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xba9e630000 | 0xba9e630fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ba9e640000 | 0xba9e640000 | 0xba9e653fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ba9e660000 | 0xba9e660000 | 0xba9e6dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba9e6e0000 | 0xba9e6e0000 | 0xba9e6e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ba9e6f0000 | 0xba9e6f0000 | 0xba9e6f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ba9e700000 | 0xba9e700000 | 0xba9e701fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xba9e710000 | 0xba9e7cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ba9e7d0000 | 0xba9e7d0000 | 0xba9e84ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0xba9e850000 | 0xba9e883fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ba9e850000 | 0xba9e850000 | 0xba9e850fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba9e860000 | 0xba9e860000 | 0xba9e860fff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0xba9e870000 | 0xba9e871fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ba9e8e0000 | 0xba9e8e0000 | 0xba9e8e6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba9e900000 | 0xba9e900000 | 0xba9e9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba9ea00000 | 0xba9ea00000 | 0xba9ea9cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba9eaa0000 | 0xba9eaa0000 | 0xba9ec9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba9eb00000 | 0xba9eb00000 | 0xba9ebfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba9ec00000 | 0xba9ec00000 | 0xba9ed87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ba9ed90000 | 0xba9ed90000 | 0xba9ef10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ba9ef20000 | 0xba9ef20000 | 0xbaa031ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000baa0320000 | 0xbaa0320000 | 0xbaa04fcfff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0xbaa0320000 | 0xbaa03dcfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000baa0320000 | 0xbaa0320000 | 0xbaa049cfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000baa0320000 | 0xbaa0320000 | 0xbaa0452fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x000000baa0490000 | 0xbaa0490000 | 0xbaa049cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa04f0000 | 0xbaa04f0000 | 0xbaa04fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0500000 | 0xbaa0500000 | 0xbaa06fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0500000 | 0xbaa0500000 | 0xbaa05fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0600000 | 0xbaa0600000 | 0xbaa07fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0600000 | 0xbaa0600000 | 0xbaa06fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0700000 | 0xbaa0700000 | 0xbaa08fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0700000 | 0xbaa0700000 | 0xbaa07fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0800000 | 0xbaa0800000 | 0xbaa09fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0800000 | 0xbaa0800000 | 0xbaa08fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0900000 | 0xbaa0900000 | 0xbaa0afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000baa0900000 | 0xbaa0900000 | 0xbaa09fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xbaa0a00000 | 0xbaa0d36fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff9a0000 | 0x7df5ff9a0000 | 0x7ff5ff99ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6e2d90000 | 0x7ff6e2d90000 | 0x7ff6e2e8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e2e90000 | 0x7ff6e2e90000 | 0x7ff6e2eb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e2ebb000 | 0x7ff6e2ebb000 | 0x7ff6e2ebcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e2ebd000 | 0x7ff6e2ebd000 | 0x7ff6e2ebefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e2ebf000 | 0x7ff6e2ebf000 | 0x7ff6e2ebffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e3230000 | 0x7ff6e323cfff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x7fff0ce80000 | 0x7fff0ceabfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x7fff0ceb0000 | 0x7fff0ced2fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x7fff12050000 | 0x7fff1206bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fff12160000 | 0x7fff12209fff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x7fff1ab40000 | 0x7fff1ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| avifil32.dll | 0x7fff1ab70000 | 0x7fff1ab8ffff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fff1aca0000 | 0x7fff1acc6fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fff1bf50000 | 0x7fff1bf7bfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7fff1c350000 | 0x7fff1c399fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fff1c3a0000 | 0x7fff1c3b2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7fff1c3c0000 | 0x7fff1c3cefff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fff1c3d0000 | 0x7fff1c413fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7fff1c420000 | 0x7fff1c4d2fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7fff1c760000 | 0x7fff1cd87fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fff1cdf0000 | 0x7fff1cfccfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7fff1d080000 | 0x7fff1d2fbfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7fff1d3e0000 | 0x7fff1d3e7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fff1d3f0000 | 0x7fff1d530fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7fff1d600000 | 0x7fff1d65afff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fff1d730000 | 0x7fff1d765fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fff1d790000 | 0x7fff1d8ebfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fff1d8f0000 | 0x7fff1da15fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7fff1da90000 | 0x7fff1dbddfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fff1df70000 | 0x7fff1f494fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fff1f500000 | 0x7fff1f684fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fff1f690000 | 0x7fff1f6e0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7fff1f700000 | 0x7fff1f79cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fff1f7a0000 | 0x7fff1f845fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7fff1f850000 | 0x7fff1f8fcfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7fff1f900000 | 0x7fff1fac1fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0xb00 | address = 0x7ff6e3233440, size = 4 |
|
2 | |
| Modify Memory | #8: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0xb00 | address = 0x620000, size = 1257472 |
|
1 | |
| Modify Memory | #8: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0xb00 | address = 0x760000, size = 792 |
|
1 | |
| Modify Control Flow | #8: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0xb00 | os_tid = 0xa14, address = 0xe2ebf000 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSTEM32\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Read | C:\Windows\SYSTEM32\ntdll.dll | size = 4, size_out = 4 |
|
3 |
Registry (11)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Scr, type = REG_NONE |
|
1 |
Process (35)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
34 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\windows\explorer.exe | proc_address = 0x7fff1f909fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x94c |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x94c |
|
2 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x94c |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x94c |
|
2 |
Memory (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\windows\explorer.exe | address = 0xba9e6ded60, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 801521921384 |
|
1 | |
| Protect | c:\windows\explorer.exe | address = 0x7fff1f909fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 |
|
2 | |
| Protect | c:\windows\explorer.exe | address = 0x7fff1f909fa0, protection = PAGE_EXECUTE_READ, size = 4 |
|
2 | |
| Read | c:\windows\explorer.exe | address = 0x7fff1f909fa0, size = 4 |
|
1 | |
| Write | c:\windows\explorer.exe | address = 0x7fff1f909fa0, size = 4 |
|
2 | |
| Write | c:\windows\explorer.exe | address = 0x48c0000, size = 792 |
|
1 |
Module (225)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7fff1f7a0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7fff1f690000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7fff1da90000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7fff1d3e0000 |
|
1 | |
| Get Handle | c:\windows\system32\svchost.exe | base_address = 0x7ff6e3230000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7fff1f850000 |
|
5 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7fff1f900000 |
|
4 | |
| Get Handle | c:\windows\system32\kernelbase.dll | base_address = 0x7fff1cdf0000 |
|
1 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7fff1f7a0000 |
|
2 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 |
|
2 | |
| Get Filename | c:\windows\system32\ntdll.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
3 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0xba9e6dfbd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7fff1f86e960 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fff1f7bd610 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrRChrA, address_out = 0x7fff1f6a4dd0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x7fff1dab2610 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyA, address_out = 0x7fff1f7bb9e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7fff1f7b7dd0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7fff1f7b72e0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrToIntExA, address_out = 0x7fff1f6a4e70 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrChrA, address_out = 0x7fff1f6a4cc0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrTrimA, address_out = 0x7fff1f6a4e80 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7fff1f7cec40 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModules, address_out = 0x7fff1d3e1040 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIW, address_out = 0x7fff1f69b260 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetShellWindow, address_out = 0x7fff1dab4060 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7fff1daa4040 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlExitUserThread, address_out = 0x7fff1f909fa0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyA, address_out = 0x7fff1f7e6dc0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7fff1f7b7d70 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 801521922816 |
|
1 | |
| Map | - | process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xbaa0320000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xb020000 |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 64421 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {CA459827-A1FA-8CD3-7B9E-6580DFB269B4} |
|
1 |
Process #10: explorer.exe
875
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:22, Reason: Injection |
| Unmonitor | End Time: 00:04:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x568 |
| Parent PID | 0x594 (c:\windows\system32\userinit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
3E8
0x
7A4
0x
BD0
0x
BCC
0x
BC8
0x
BC4
0x
BC0
0x
BBC
0x
BB8
0x
BB0
0x
BAC
0x
BA4
0x
BA0
0x
A78
0x
A74
0x
A68
0x
A64
0x
A50
0x
A4C
0x
A48
0x
A40
0x
A0C
0x
9D4
0x
9C4
0x
954
0x
948
0x
940
0x
93C
0x
938
0x
930
0x
928
0x
924
0x
910
0x
90C
0x
908
0x
8F8
0x
8F0
0x
8E8
0x
8E4
0x
8E0
0x
8DC
0x
8D8
0x
8C8
0x
8C4
0x
8C0
0x
8AC
0x
8A4
0x
864
0x
850
0x
83C
0x
838
0x
834
0x
828
0x
824
0x
810
0x
80C
0x
804
0x
698
0x
5F4
0x
7AC
0x
778
0x
46C
0x
2B8
0x
454
0x
758
0x
6B8
0x
688
0x
664
0x
94C
0x
904
0x
7A8
0x
8BC
0x
A9C
0x
974
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00faffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01063fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x01081fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01090000 | 0x0114dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x01156fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x01160000 | 0x01167fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x01170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x01180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011a0000 | 0x011a0000 | 0x011a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x011b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x012bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x0133ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001340000 | 0x01340000 | 0x014c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000014d0000 | 0x014d0000 | 0x01650fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001660000 | 0x01660000 | 0x02a5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a60000 | 0x02a60000 | 0x02a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a70000 | 0x02a70000 | 0x02a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a80000 | 0x02a80000 | 0x02a80fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001d.db | 0x02a90000 | 0x02aa3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0x02ab0000 | 0x02ab3fff | Memory Mapped File | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x02ac0000 | 0x02adbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002ae0000 | 0x02ae0000 | 0x02ae2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02afffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02b00000 | 0x02e36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002e40000 | 0x02e40000 | 0x02ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ec0000 | 0x02ec0000 | 0x02f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f40000 | 0x02f40000 | 0x02fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fc0000 | 0x02fc0000 | 0x0303ffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x03040000 | 0x030a0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000030b0000 | 0x030b0000 | 0x030b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000030c0000 | 0x030c0000 | 0x030e9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x030f0000 | 0x031cefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000031d0000 | 0x031d0000 | 0x0324ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x032cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x0334ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003350000 | 0x03350000 | 0x03351fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003360000 | 0x03360000 | 0x03361fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x03370000 | 0x03371fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x03380000 | 0x03384fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000003390000 | 0x03390000 | 0x03447fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003450000 | 0x03450000 | 0x03453fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003460000 | 0x03460000 | 0x0355ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003560000 | 0x03560000 | 0x0365ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003660000 | 0x03660000 | 0x03660fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03670000 | 0x046affff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046d0000 | 0x046d0000 | 0x046d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x046e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046f0000 | 0x046f0000 | 0x0476ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x04771fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x04780fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x04790fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x047a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047b0000 | 0x047b0000 | 0x047b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x047c0000 | 0x047c3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x047d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047e0000 | 0x047e0000 | 0x047e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x047f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004800000 | 0x04800000 | 0x04802fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004810000 | 0x04810000 | 0x04848fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004850000 | 0x04850000 | 0x04852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x04860fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004870000 | 0x04870000 | 0x04870fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004880000 | 0x04880000 | 0x04882fff | Pagefile Backed Memory | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db | 0x04890000 | 0x048acfff | Memory Mapped File | r |
|
|
|
- |
| stobject.dll.mui | 0x048b0000 | 0x048b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x048d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000048e0000 | 0x048e0000 | 0x048e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| inputswitch.dll.mui | 0x048f0000 | 0x048f1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x04902fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x04910000 | 0x04913fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x04920000 | 0x04962fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x04970000 | 0x04973fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x04980000 | 0x04a0afff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x04a10000 | 0x04a20fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x0542ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000005430000 | 0x05430000 | 0x054affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054b0000 | 0x054b0000 | 0x054b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x0553ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005540000 | 0x05540000 | 0x05a31fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005a40000 | 0x05a40000 | 0x05a40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a50000 | 0x05a50000 | 0x05acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005ad0000 | 0x05ad0000 | 0x05b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005b50000 | 0x05b50000 | 0x05bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005bd0000 | 0x05bd0000 | 0x05c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005c50000 | 0x05c50000 | 0x05ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005cd0000 | 0x05cd0000 | 0x05d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d50000 | 0x05d50000 | 0x05dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005dd0000 | 0x05dd0000 | 0x05e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e50000 | 0x05e50000 | 0x05ecffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005ed0000 | 0x05ed0000 | 0x05ed0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005ee0000 | 0x05ee0000 | 0x05ee0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005ef0000 | 0x05ef0000 | 0x05ef0fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x05f00000 | 0x05f03fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll | 0x05f10000 | 0x05f14fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x05f20000 | 0x05f2ffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x05f30000 | 0x05f32fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005f40000 | 0x05f40000 | 0x05f40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005f50000 | 0x05f50000 | 0x0604ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006050000 | 0x06050000 | 0x06052fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000006060000 | 0x06060000 | 0x06062fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000006070000 | 0x06070000 | 0x06071fff | Pagefile Backed Memory | r |
|
|
|
- |
| sndvolsso.dll.mui | 0x06080000 | 0x06081fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006090000 | 0x06090000 | 0x06098fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000060a0000 | 0x060a0000 | 0x060a3fff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x060b0000 | 0x060b1fff | Memory Mapped File | rw |
|
|
|
- |
| netmsg.dll | 0x060c0000 | 0x060c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000060d0000 | 0x060d0000 | 0x060d8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000060e0000 | 0x060e0000 | 0x060e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000060f0000 | 0x060f0000 | 0x061effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000061f0000 | 0x061f0000 | 0x061f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006200000 | 0x06200000 | 0x06247fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006250000 | 0x06250000 | 0x06297fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000062a0000 | 0x062a0000 | 0x0631ffff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x06320000 | 0x0641ffff | Memory Mapped File | rw |
|
|
|
- |
| netmsg.dll.mui | 0x06420000 | 0x06451fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006460000 | 0x06460000 | 0x064dffff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x064e0000 | 0x064e1fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_48.db | 0x064f0000 | 0x065effff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000065f0000 | 0x065f0000 | 0x0666ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006670000 | 0x06670000 | 0x066effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000066f0000 | 0x066f0000 | 0x066f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006700000 | 0x06700000 | 0x06700fff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x06710000 | 0x06711fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_48.db | 0x06720000 | 0x0681ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000006820000 | 0x06820000 | 0x06821fff | Pagefile Backed Memory | r |
|
|
|
- |
| grooveintlresource.dll | 0x06830000 | 0x070b2fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache_idx.db | 0x070c0000 | 0x070c1fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_48.db | 0x070d0000 | 0x071cffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000071d0000 | 0x071d0000 | 0x0724ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007250000 | 0x07250000 | 0x07250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007260000 | 0x07260000 | 0x072a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000072b0000 | 0x072b0000 | 0x074affff | Private Memory | rw |
|
|
|
- |
| appdb.dat | 0x074b0000 | 0x09831fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000009840000 | 0x09840000 | 0x098bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000098c0000 | 0x098c0000 | 0x0993ffff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x09940000 | 0x09941fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0x09950000 | 0x09a4ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000009a50000 | 0x09a50000 | 0x09a97fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009aa0000 | 0x09aa0000 | 0x09b1ffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 336 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #9: c:\windows\system32\svchost.exe | 0xa14 | address = 0x7fff1f909fa0 |
|
1 | |
| Modify Memory | #9: c:\windows\system32\svchost.exe | 0xa14 | address = 0x7fff1f909fa0, size = 4 |
|
2 | |
| Modify Memory | #9: c:\windows\system32\svchost.exe | 0xa14 | address = 0xb020000, size = 1257472 |
|
1 | |
| Modify Memory | #9: c:\windows\system32\svchost.exe | 0xa14 | address = 0x48c0000, size = 792 |
|
1 | |
| Modify Control Flow | #9: c:\windows\system32\svchost.exe | 0xa14 | os_tid = 0x94c, address = 0x0 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | pipe\{072bb6f5-baec-d114-fc2b-8e95f08fa299} | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 |
|
1 |
Registry (19)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Install, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, type = REG_BINARY |
|
2 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 |
Process (583)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
583 |
Module (236)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7fff1f7a0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7fff1f690000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7fff1da90000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7fff1d3e0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7fff1d3f0000 |
|
1 | |
| Load | ADVAPI32.DLL | base_address = 0x7fff1f7a0000 |
|
1 | |
| Get Handle | Unknown module name | base_address = 0x7ff6e4e10000 |
|
1 | |
| Get Handle | KERNEL32.DLL | base_address = 0x7fff1f850000 |
|
5 | |
| Get Handle | NTDLL.DLL | base_address = 0x7fff1f900000 |
|
2 | |
| Get Handle | kernelbase | base_address = 0x7fff1cdf0000 |
|
2 | |
| Get Handle | ADVAPI32.DLL | base_address = 0x7fff1f7a0000 |
|
3 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
2 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0x9b9f9f0 |
|
1 | |
| Get Address | Unknown module name | function = IsWow64Process, address_out = 0x7fff1f86e960 |
|
1 | |
| Get Address | Unknown module name | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fff1f7bd610 |
|
1 | |
| Get Address | Unknown module name | function = StrRChrA, address_out = 0x7fff1f6a4dd0 |
|
1 | |
| Get Address | Unknown module name | function = wsprintfA, address_out = 0x7fff1dab2610 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyA, address_out = 0x7fff1f7bb9e0 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7fff1f7b7dd0 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7fff1f7b72e0 |
|
1 | |
| Get Address | Unknown module name | function = StrToIntExA, address_out = 0x7fff1f6a4e70 |
|
1 | |
| Get Address | Unknown module name | function = StrChrA, address_out = 0x7fff1f6a4cc0 |
|
1 | |
| Get Address | Unknown module name | function = StrTrimA, address_out = 0x7fff1f6a4e80 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7fff1f7cec40 |
|
1 | |
| Get Address | Unknown module name | function = EnumProcessModules, address_out = 0x7fff1d3e1040 |
|
1 | |
| Get Address | Unknown module name | function = StrStrIW, address_out = 0x7fff1f69b260 |
|
1 | |
| Get Address | Unknown module name | function = RegEnumValueW, address_out = 0x7fff1f7b7220 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExA, address_out = 0x7fff1f7a2680 |
|
1 | |
| Get Address | Unknown module name | function = RegCreateKeyA, address_out = 0x7fff1f7e6dc0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExA, address_out = 0x7fff1f7b7d70 |
|
1 | |
| Get Address | Unknown module name | function = CreateStreamOnHGlobal, address_out = 0x7fff1d0a70a0 |
|
1 | |
| Get Address | Unknown module name | function = PathFindFileNameA, address_out = 0x7fff1f69cf30 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowsHookExA, address_out = 0x7fff1da927a0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterClassA, address_out = 0x7fff1dab1310 |
|
1 | |
| Get Address | Unknown module name | function = CreateWindowExA, address_out = 0x7fff1dab4df0 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowLongPtrA, address_out = 0x7fff1da9cae0 |
|
1 | |
| Get Address | Unknown module name | function = DefWindowProcA, address_out = 0x7fff1f993230 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowLongPtrA, address_out = 0x7fff1daa61f0 |
|
1 | |
| Get Address | Unknown module name | function = GetMessageA, address_out = 0x7fff1daaaa50 |
|
1 | |
| Get Address | Unknown module name | function = TranslateMessage, address_out = 0x7fff1daa36a0 |
|
1 | |
| Get Address | Unknown module name | function = DispatchMessageA, address_out = 0x7fff1dab61e0 |
|
1 | |
| Get Address | Unknown module name | function = SetClipboardViewer, address_out = 0x7fff1dac0de0 |
|
1 | |
| Get Address | Unknown module name | function = PostMessageA, address_out = 0x7fff1dab4900 |
|
1 | |
| Get Address | Unknown module name | function = OpenClipboard, address_out = 0x7fff1dabb6c0 |
|
1 | |
| Get Address | Unknown module name | function = GetClipboardData, address_out = 0x7fff1dababa0 |
|
1 | |
| Get Address | Unknown module name | function = CloseClipboard, address_out = 0x7fff1dac0920 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = {567523B2-AF69-B1B4-0683-9A6728ADDC31}, wndproc_parameter = 185104512 |
|
1 | |
| Create | - | class_name = {841853B2-1F69-61B4-0683-9A6728ADDC31}, wndproc_parameter = 185104144 |
|
1 |
System (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Clipboard | format = 1 |
|
1 | |
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = Ticks, time = 65015 |
|
1 | |
| Get Time | type = System Time, time = 2018-10-31 23:01:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 65375 |
|
2 | |
| Register Hook | type = WH_KEYBOARD_LL, hookproc_address = 0xb05045c |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {AE35B69A-3501-1021-2FC2-3944D3167DB8} |
|
1 | |
| Create | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} |
|
1 | |
| Create | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} |
|
1 | |
| Create | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 |
