51bc32788b49aca2384cd07dce9f8ac63f07f52c27cf33c938e01c64c374eee4 (SHA256)
worldtime.exe
Windows Exe (x86-32)
Created at 2018-10-30 17:02:00
Notifications (2/2)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: worldtime.exe
1238
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\worldtime.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\worldtime.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:26, Reason: Analysis Target |
| Unmonitor | End Time: 00:00:48, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc38 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C3C
0x
C40
0x
C54
0x
CC0
0x
CCC
0x
CE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x000a0000 | 0x000a3fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x000b0000 | 0x000f2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00100000 | 0x00103fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x00110000 | 0x0019afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| worldtime.exe | 0x00400000 | 0x0054efff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00703fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00710fff | Private Memory | rwx |
|
|
|
- |
| propsys.dll.mui | 0x00710000 | 0x00720fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0x00730000 | 0x00733fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00880000 | 0x00892fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x01e5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x01f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x01f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x0204ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0204ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002050000 | 0x02050000 | 0x0244ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x0255ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x0254ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x0255ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002560000 | 0x02560000 | 0x028effff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000028f0000 | 0x028f0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02f9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02fa0000 | 0x032d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000032e0000 | 0x032e0000 | 0x033dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033e0000 | 0x033e0000 | 0x034dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000034e0000 | 0x034e0000 | 0x035dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x74280000 | 0x74540fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74550000 | 0x746affff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x746b0000 | 0x746defff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x746e0000 | 0x746fafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74700000 | 0x74712fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74720000 | 0x74861fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x74870000 | 0x74890fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x748a0000 | 0x748e3fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x748f0000 | 0x74af8fff | Memory Mapped File | rwx |
|
|
|
- |
| tapi32.dll | 0x74b00000 | 0x74b33fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74b40000 | 0x74b4efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74b50000 | 0x74b57fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74b60000 | 0x74bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76a90000 | 0x76c34fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | 0.11 KB |
MD5:
2af2261a8591e22a5e3c41fc603a4340
SHA1: c46a5f2b4aed20df44c8d4cb394abd101b8a274e SHA256: ddbbdd9a5e9ac3df7eeeffed148aa2ef075e4b186383e6121259292235ad6cc7 SSDeep: 3:5WxvGLK6OWRNfeURwv+gU64vHXMJATkUE1zWxvfBos+n:IAlRhmvGvvHXMJ2dm6xBL+n |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | 1.29 MB |
MD5:
9d00145017261466596a4e6e66480fb6
SHA1: 5288c791ee5766998bf3522abba9d33b3ec21a74 SHA256: ef6111afc2b62eef53a1e3a9a7fe2f5762e0e58d8e1274ede2c987d1303701ce SSDeep: 24576:Zy8RCFEr8W1tVIFy8aCbC8zl0LYJJyQ6+vYnbaFtMfvmdj:ZywCF6Eu8zmMJyQzv9TMfut |
|
|
Host Behavior
File (24)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\worldtime.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE | - |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\ |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\19FE |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\worldtime.exe | type = size |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\worldtime.exe | size = 1357824, size_out = 1357824 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | size = 4096 |
|
2 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | size = 1353728 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | size = 110 |
|
1 |
Registry (129)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
71 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER | value_name = Value, data = 0 |
|
38 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 118, type = REG_SZ |
|
1 | |
| Write Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Install, size = 118, type = REG_BINARY |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (182)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77ca0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77290000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x76a90000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75260000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75430000 |
|
1 | |
| Load | ole32.dll | base_address = 0x768b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
13 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
3 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
2 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\worldtime.exe | base_address = 0x400000 |
|
4 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77150000 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\worldtime.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\worldtime.exe, size = 260 |
|
3 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\worldtime.exe | process_name = c:\users\ciihmnxmn6ps\desktop\worldtime.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\worldtime.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
8 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x77d0ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77d10010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x77d0e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77cf3010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77d0e7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x77cffcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x77cfaca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77d08d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77d08f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77d09d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77d08df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77d08cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77d08e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77d08e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77d08e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77d09080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x77cdb940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x77cee040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x77d0c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77d08e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x772acd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x772a6a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x772a80d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x772acd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x772b1db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x772b26c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x772a83a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x772a7c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x772b2900 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiGetClassDevsA, address_out = 0x76ab8d10 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x7527f4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75279640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x7527d940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75279950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x7529d410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x75286510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75272d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x7527e320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x75279f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x75285f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x75286410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x75286270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75277540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x752860d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x752857f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x7529d320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x752861d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x75286170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x75286130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x752860b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x75286380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x752a0960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x75286150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x7527db30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x7527a280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x7527ed00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7527c1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x7527f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x752a0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75283a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x7527efc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x75286140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x752a2a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x75286210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7527a040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75286360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x752a0a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75278b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75277610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75278c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x752747c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x75286530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x752863f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7717ea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x771831c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x77180980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7717ddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x771ccf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x76a32520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x76a30ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x76a30f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x76a30ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x76a331a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x76a30750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x76a33150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x76a2ee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76a2f000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x755c4370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x755c4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x756a7560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7716ba70 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, SEC_RESERVE, maximum_size = 4194304 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\desktop\worldtime.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | - | class_name = ProgMan |
|
1 | |
| Set Attribute | - | index = 18446744073709551596, new_long = 128 |
|
1 |
System (889)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 819, y_out = 480 |
|
800 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
10 | |
| Get Time | type = System Time, time = 2018-10-30 17:03:31 (UTC) |
|
70 | |
| Get Time | type = System Time, time = 2018-10-30 17:03:32 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 118375 |
|
1 | |
| Get Time | type = Ticks, time = 124031 |
|
4 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #2: cmd.exe
254
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\WORLDT~1.EXE"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcfc |
| Parent PID | 0xc38 (c:\users\ciihmnxmn6ps\desktop\worldtime.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D00
0x
D18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e60000 | 0x00e60000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01011fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01020000 | 0x010ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x01123fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe.mui | 0x01140000 | 0x01160fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x0117ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x0127ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012dffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000012e0000 | 0x012e0000 | 0x052dffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000053b0000 | 0x053b0000 | 0x054affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054b0000 | 0x057e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74bf0000 | 0x74bf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa40000 | 0x7fa40000 | 0x7fb3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb40000 | 0x7fb40000 | 0x7fb62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb66000 | 0x7fb66000 | 0x7fb68fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb69000 | 0x7fb69000 | 0x7fb6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb6c000 | 0x7fb6c000 | 0x7fb6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb6e000 | 0x7fb6e000 | 0x7fb6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (202)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
25 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\19FE | type = file_attributes |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
88 | |
| Open | STD_INPUT_HANDLE | - |
|
7 | |
| Open | - | - |
|
12 | |
| Open | - | - |
|
13 | |
| Open | \??\C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat | desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Read | - | size = 8191, size_out = 110 |
|
1 | |
| Read | - | size = 8191, size_out = 99 |
|
1 | |
| Read | - | size = 8191, size_out = 66 |
|
1 | |
| Read | - | size = 8191, size_out = 50 |
|
1 | |
| Read | - | size = 8191, size_out = 19 |
|
1 | |
| Read | - | size = 8191, size_out = 6 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
8 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 4 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 104 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 13 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 10 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 33 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (24)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #4: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\WORLDT~1.EXE"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd20 |
| Parent PID | 0xcfc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D24
0x
D28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x0024ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00940000 | 0x00c76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012dffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000012e0000 | 0x012e0000 | 0x052dffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7f670000 | 0x7f9fffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007fa00000 | 0x7fa00000 | 0x7fafffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb00000 | 0x7fb00000 | 0x7fb22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb25000 | 0x7fb25000 | 0x7fb27fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb28000 | 0x7fb28000 | 0x7fb28fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb2b000 | 0x7fb2b000 | 0x7fb2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb2d000 | 0x7fb2d000 | 0x7fb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe | os_pid = 0xd2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #5: autoclb.exe
1082
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe |
| Command Line | "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\WORLDT~1.EXE" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:50, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd2c |
| Parent PID | 0xd20 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D30
0x
D34
0x
D80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00311fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00323fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00330fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| autoclb.exe | 0x00400000 | 0x0054efff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x00b40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x01f4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x0204ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x0252ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x028bffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x0303ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x03040000 | 0x03376fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x03541fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003380000 | 0x03380000 | 0x034b2fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000034c0000 | 0x034c0000 | 0x03681fff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x74860000 | 0x74880fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x74890000 | 0x748d3fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x748e0000 | 0x74ae8fff | Memory Mapped File | rwx |
|
|
|
- |
| tapi32.dll | 0x74af0000 | 0x74b23fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74b30000 | 0x74b3efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74b40000 | 0x74b47fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74b50000 | 0x74be1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76a90000 | 0x76c34fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw | - |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Delete | C:\Users\CIIHMN~1\Desktop\WORLDT~1.EXE | - |
|
1 |
Registry (121)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER | - |
|
71 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER | value_name = Value, data = 0 |
|
38 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\svchost.exe | os_pid = 0xdd0, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Suspend | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0xd80 |
|
1 | |
| Get Context | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0xd80 |
|
2 | |
| Set Context | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0xd80 |
|
1 | |
| Resume | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0xd80 |
|
2 |
Memory (5)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\system32\svchost.exe | address = 0x2bbf0c0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 45871292 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff673b43440, protection = PAGE_EXECUTE_READWRITE, size = 45872632 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff673b43000, protection = PAGE_EXECUTE_READ, size = 45872632 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0xf60000, size = 792 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x7ff673b43440, size = 4 |
|
1 |
Module (221)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77ca0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77290000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x76a90000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75260000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75430000 |
|
1 | |
| Load | ole32.dll | base_address = 0x768b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
14 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
19 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
2 | |
| Get Handle | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | base_address = 0x400000 |
|
4 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77150000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
3 | |
| Get Filename | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
8 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x77d0ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77d10010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x77d0e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77cf3010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77d0e7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x77cffcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x77cfaca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77d08d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77d08f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77d09d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77d08df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77d08cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77d08e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77d08e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77d08e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77d09080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x77cdb940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x77cee040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x77d0c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77d08e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x772acd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x772a6a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x772a80d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x772acd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x772b1db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x772b26c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x772a83a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x772a7c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x772b2900 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiGetClassDevsA, address_out = 0x76ab8d10 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x7527f4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75279640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x7527d940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75279950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x7529d410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x75286510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75272d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x7527e320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x75279f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x75285f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x75286410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x75286270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75277540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x752860d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x752857f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x7529d320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x752861d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x75286170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x75286130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x752860b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x75286380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x752a0960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x75286150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x7527db30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x7527a280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x7527ed00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7527c1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x7527f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x752a0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75283a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x7527efc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x75286140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x752a2a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x75286210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7527a040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75286360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x752a0a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75278b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75277610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75278c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x752747c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x75286530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x752863f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7717ea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x771831c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x77180980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7717ddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x771ccf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x76a32520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x76a30ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x76a30f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x76a30ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x76a331a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x76a30750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x76a33150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x76a2ee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76a2f000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x755c4370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x755c4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x756a7560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7716ba70 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64EnableWow64FsRedirection, address_out = 0x7529b6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64QueryInformationProcess64, address_out = 0x77d0a840 |
|
15 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64ReadVirtualMemory64, address_out = 0x77d0a860 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, SEC_RESERVE, maximum_size = 4194304 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 45872600 |
|
1 | |
| Map | - | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 | |
| Map | - | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3380000 |
|
1 | |
| Map | - | process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xe20000 |
|
1 |
Window (3)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | - | class_name = ProgMan |
|
2 | |
| Set Attribute | - | index = 18446744073709551596, new_long = 128 |
|
1 |
System (702)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 480, y_out = 403 |
|
613 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
10 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-10-30 17:03:49 (UTC) |
|
46 | |
| Get Time | type = System Time, time = 2018-10-30 17:03:50 (UTC) |
|
24 | |
| Get Time | type = System Time, time = 2018-10-30 17:03:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 133359 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #6: svchost.exe
314
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:01:03, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd0 |
| Parent PID | 0xd2c (c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD4
0x
E14
0x
E3C
0x
E40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00f52fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f60fff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007f7c5000 | 0x7f7c5000 | 0x7f7c5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e6cce20000 | 0xe6cce20000 | 0xe6cce3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e6cce20000 | 0xe6cce20000 | 0xe6cce2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xe6cce30000 | 0xe6cce30fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000e6cce40000 | 0xe6cce40000 | 0xe6cce53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e6cce60000 | 0xe6cce60000 | 0xe6ccedffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e6ccee0000 | 0xe6ccee0000 | 0xe6ccee3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e6ccef0000 | 0xe6ccef0000 | 0xe6ccef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e6ccf00000 | 0xe6ccf00000 | 0xe6ccf01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe6ccf10000 | 0xe6ccfcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e6ccfd0000 | 0xe6ccfd0000 | 0xe6cd04ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0xe6cd050000 | 0xe6cd083fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e6cd050000 | 0xe6cd050000 | 0xe6cd050fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cd060000 | 0xe6cd060000 | 0xe6cd060fff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0xe6cd070000 | 0xe6cd071fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e6cd0a0000 | 0xe6cd0a0000 | 0xe6cd0a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cd100000 | 0xe6cd100000 | 0xe6cd1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cd200000 | 0xe6cd200000 | 0xe6cd39cfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e6cd200000 | 0xe6cd200000 | 0xe6cd387fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e6cd390000 | 0xe6cd390000 | 0xe6cd39cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cd3a0000 | 0xe6cd3a0000 | 0xe6cd59ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cd400000 | 0xe6cd400000 | 0xe6cd4fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e6cd500000 | 0xe6cd500000 | 0xe6cd680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e6cd690000 | 0xe6cd690000 | 0xe6cea8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e6cea90000 | 0xe6cea90000 | 0xe6ceb7cfff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0xe6cea90000 | 0xe6ceb4cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e6ceb70000 | 0xe6ceb70000 | 0xe6ceb7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6ceb80000 | 0xe6ceb80000 | 0xe6ced7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cec00000 | 0xe6cec00000 | 0xe6cecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6ced00000 | 0xe6ced00000 | 0xe6cee3cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cee40000 | 0xe6cee40000 | 0xe6cf03ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cef00000 | 0xe6cef00000 | 0xe6ceffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cf000000 | 0xe6cf000000 | 0xe6cf1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cf000000 | 0xe6cf000000 | 0xe6cf0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cf100000 | 0xe6cf100000 | 0xe6cf2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cf100000 | 0xe6cf100000 | 0xe6cf1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cf200000 | 0xe6cf200000 | 0xe6cf3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e6cf200000 | 0xe6cf200000 | 0xe6cf2fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xe6cf300000 | 0xe6cf636fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000e6cf640000 | 0xe6cf640000 | 0xe6cf772fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x00007df5ff400000 | 0x7df5ff400000 | 0x7ff5ff3fffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff672fa0000 | 0x7ff672fa0000 | 0x7ff67309ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6730a0000 | 0x7ff6730a0000 | 0x7ff6730c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6730c4000 | 0x7ff6730c4000 | 0x7ff6730c4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6730cc000 | 0x7ff6730cc000 | 0x7ff6730cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6730ce000 | 0x7ff6730ce000 | 0x7ff6730cffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8d55b0000 | 0x7ff8d5659fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x7ff8d5980000 | 0x7ff8d599bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x7ff8d5da0000 | 0x7ff8d5dc8fff | Memory Mapped File | rwx |
|
|
|
- |
| avifil32.dll | 0x7ff8da7b0000 | 0x7ff8da7cffff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x7ff8db910000 | 0x7ff8db93bfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x7ff8db940000 | 0x7ff8db962fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ff8ee240000 | 0x7ff8ee247fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #5: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | 0xd80 | address = 0xe20000, size = 1257472 |
|
1 | |
| Modify Memory | #5: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | 0xd80 | address = 0xf60000, size = 792 |
|
1 | |
| Modify Control Flow | #5: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | 0xd80 | os_tid = 0xdd4, address = 0x730c4000 |
|
1 | |
| Modify Memory | #5: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | 0xd80 | address = 0x7ff673b43440, size = 4 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSTEM32\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Read | C:\Windows\SYSTEM32\ntdll.dll | size = 4, size_out = 4 |
|
3 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Scr, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, size = 40, type = REG_BINARY |
|
1 |
Process (35)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
34 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\windows\explorer.exe | proc_address = 0x7ff8ee389fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0xe38 |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0xe38 |
|
2 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0xe38 |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0xe38 |
|
2 |
Memory (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\windows\explorer.exe | address = 0xe6ccede920, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 991280621864 |
|
1 | |
| Protect | c:\windows\explorer.exe | address = 0x7ff8ee389fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 |
|
2 | |
| Protect | c:\windows\explorer.exe | address = 0x7ff8ee389fa0, protection = PAGE_EXECUTE_READ, size = 4 |
|
2 | |
| Read | c:\windows\explorer.exe | address = 0x7ff8ee389fa0, size = 4 |
|
1 | |
| Write | c:\windows\explorer.exe | address = 0x7ff8ee389fa0, size = 4 |
|
2 | |
| Write | c:\windows\explorer.exe | address = 0x5200000, size = 792 |
|
1 |
Module (227)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7ff8ee190000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7ff8edfe0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7ff8ebdc0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7ff8ee240000 |
|
1 | |
| Get Handle | c:\windows\system32\svchost.exe | base_address = 0x7ff673b40000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff8ee2d0000 |
|
5 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff8ee380000 |
|
4 | |
| Get Handle | c:\windows\system32\kernelbase.dll | base_address = 0x7ff8eb870000 |
|
1 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7ff8ee190000 |
|
2 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 |
|
2 | |
| Get Filename | c:\windows\system32\ntdll.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
3 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0xe6ccedf790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ff8ee1ad610 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrRChrA, address_out = 0x7ff8edff4dd0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x7ff8ebde2610 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyA, address_out = 0x7ff8ee1ab9e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ff8ee1a7dd0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ff8ee1a72e0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrToIntExA, address_out = 0x7ff8edff4e70 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrChrA, address_out = 0x7ff8edff4cc0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrTrimA, address_out = 0x7ff8edff4e80 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ff8ee1bec40 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModules, address_out = 0x7ff8ee241040 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIW, address_out = 0x7ff8edfeb260 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetShellWindow, address_out = 0x7ff8ebde4060 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7ff8ebdd4040 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlExitUserThread, address_out = 0x7ff8ee389fa0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyA, address_out = 0x7ff8ee1d6dc0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ff8ee1ada40 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExA, address_out = 0x7ff8ee192680 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ff8ee1a7d70 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 991280623296 |
|
1 | |
| Map | - | process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xe6cf640000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xcfd0000 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | - |
|
1 | |
| Get Computer Name | result_out = LHNIWSJ |
|
2 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 141328 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {F6123870-DDED-9815-178A-614C3B5E2540} |
|
1 |
Process #7: explorer.exe
1180
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:01, Reason: Injection |
| Unmonitor | End Time: 00:01:12, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x508 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E28
0x
E24
0x
340
0x
90C
0x
960
0x
7C8
0x
7E8
0x
95C
0x
974
0x
46C
0x
BE0
0x
BDC
0x
A9C
0x
A98
0x
A94
0x
A90
0x
A8C
0x
A88
0x
A84
0x
A78
0x
A64
0x
A60
0x
A18
0x
9E4
0x
9D4
0x
9A8
0x
970
0x
96C
0x
964
0x
958
0x
950
0x
94C
0x
948
0x
940
0x
938
0x
930
0x
92C
0x
928
0x
8FC
0x
8F8
0x
8F4
0x
8F0
0x
8C0
0x
8A4
0x
878
0x
86C
0x
84C
0x
848
0x
844
0x
840
0x
830
0x
82C
0x
810
0x
80C
0x
808
0x
804
0x
5BC
0x
478
0x
5B4
0x
65C
0x
5E8
0x
55C
0x
E38
0x
E48
0x
E4C
0x
E50
0x
E58
0x
E5C
0x
E60
0x
E64
0x
E68
0x
E6C
0x
E70
0x
F68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00df3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00eb0000 | 0x00f6dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Pagefile Backed Memory | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db | 0x00f80000 | 0x00f9bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00fa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | rw |
|
|
|
- |
| wscui.cpl.mui | 0x00fd0000 | 0x00fe1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff6fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x01000000 | 0x01007fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01010fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x01030fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x01040fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01050fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x01070000 | 0x01073fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x01080000 | 0x01092fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011a0000 | 0x011a0000 | 0x011a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x0122ffff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000034.db | 0x01230000 | 0x0124dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001250000 | 0x01250000 | 0x01252fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001270000 | 0x01270000 | 0x01272fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x012a9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000012b0000 | 0x012b0000 | 0x012b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000012d0000 | 0x012d0000 | 0x01457fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001460000 | 0x01460000 | 0x015e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000015f0000 | 0x015f0000 | 0x029effff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x029f0000 | 0x02d26fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x02eb0000 | 0x02f10fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x02f20000 | 0x02ffefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x0307ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x030fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x0317ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003180000 | 0x03180000 | 0x03181fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x03190000 | 0x03191fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x031a0000 | 0x031a4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000031b0000 | 0x031b0000 | 0x03267fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003270000 | 0x03270000 | 0x03273fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003280000 | 0x03280000 | 0x0337ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x0347ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003480000 | 0x03480000 | 0x03480fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03490000 | 0x044cffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x044d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x044e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x04500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0458ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x04591fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x045a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x045d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x045e0000 | 0x045e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004600000 | 0x04600000 | 0x04600fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x04610fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004620000 | 0x04620000 | 0x04622fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004630000 | 0x04630000 | 0x04668fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04672fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x04680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x04690fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x0471ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x0479ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x047a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x047b0000 | 0x047b3fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x047c0000 | 0x04802fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x04810000 | 0x04813fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x04820000 | 0x048aafff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x048b0000 | 0x048c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x0494ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x050d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x050e0fff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x050f0000 | 0x050f1fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005100000 | 0x05100000 | 0x05100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05110000 | 0x05111fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05130000 | 0x05131fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x051d0000 | 0x051d1fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000051e0000 | 0x051e0000 | 0x051e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x05210000 | 0x05211fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05220000 | 0x05221fff | Memory Mapped File | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x05230000 | 0x0524bfff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x05250000 | 0x05251fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005260000 | 0x05260000 | 0x05262fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x05470000 | 0x05474fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x05480000 | 0x0548ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005490000 | 0x05490000 | 0x0550ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005510000 | 0x05510000 | 0x05510fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x05520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005530000 | 0x05530000 | 0x05530fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x055bffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x055c0000 | 0x055c2fff | Memory Mapped File | r |
|
|
|
- |
| iconcache_idx.db | 0x055d0000 | 0x055d1fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_256.db | 0x055e0000 | 0x055e0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000055f0000 | 0x055f0000 | 0x05deffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000005df0000 | 0x05df0000 | 0x05df2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005e00000 | 0x05e00000 | 0x05e00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005e10000 | 0x05e10000 | 0x05e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005e20000 | 0x05e20000 | 0x05e20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e30000 | 0x05e30000 | 0x05e38fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e40000 | 0x05e40000 | 0x05e43fff | Private Memory | rw |
|
|
|
- |
| windows.storage.dll.mui | 0x05e60000 | 0x05e67fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005e70000 | 0x05e70000 | 0x05e78fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e80000 | 0x05e80000 | 0x05e80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e90000 | 0x05e90000 | 0x05efbfff | Private Memory | rw |
|
|
|
- |
| counters.dat | 0x05f00000 | 0x05f00fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005f10000 | 0x05f10000 | 0x05f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005f90000 | 0x05f90000 | 0x0608ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006090000 | 0x06090000 | 0x06092fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000060a0000 | 0x060a0000 | 0x060affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000060b0000 | 0x060b0000 | 0x060b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x060c0000 | 0x060c1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000060f0000 | 0x060f0000 | 0x06137fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006140000 | 0x06140000 | 0x0614ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000006150000 | 0x06150000 | 0x0615ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000006160000 | 0x06160000 | 0x0616ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| stobject.dll.mui | 0x06170000 | 0x06171fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006180000 | 0x06180000 | 0x061fffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x06210000 | 0x06210fff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0x06220000 | 0x06251fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006260000 | 0x06260000 | 0x062dffff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x062e0000 | 0x063dffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000006400000 | 0x06400000 | 0x06447fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006450000 | 0x06450000 | 0x064cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064e0000 | 0x064e0000 | 0x0655ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006560000 | 0x06560000 | 0x06561fff | Pagefile Backed Memory | r |
|
|
|
- |
| grooveintlresource.dll | 0x06570000 | 0x06df2fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 393 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #6: c:\windows\system32\svchost.exe | 0xdd4 | address = 0x7ff8ee389fa0 |
|
1 | |
| Modify Memory | #6: c:\windows\system32\svchost.exe | 0xdd4 | address = 0x7ff8ee389fa0, size = 4 |
|
2 | |
| Modify Memory | #6: c:\windows\system32\svchost.exe | 0xdd4 | address = 0xcfd0000, size = 1257472 |
|
1 | |
| Modify Memory | #6: c:\windows\system32\svchost.exe | 0xdd4 | address = 0x5200000, size = 792 |
|
1 | |
| Modify Control Flow | #6: c:\windows\system32\svchost.exe | 0xdd4 | os_tid = 0xe38, address = 0x0 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | \device\namedpipe\{072bb6f5-baec-d114-fc2b-8e95f08fa299} | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 |
|
1 |
Registry (253)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Install, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = CheckSetting, type = REG_NONE |
|
10 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{2374911B-B114-42FE-900D-54F95FEE92E5} | value_name = Disabled |
|
1 | |
| Read Value | - | value_name = LastKnownState, type = REG_NONE |
|
3 | |
| Read Value | - | value_name = CheckSetting, type = REG_NONE |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{96F4A050-7E31-453C-88BE-9634F4E02139} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{AA4C798D-D91B-4B07-A013-787F5803D6FC} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{34A3697E-0F10-4E48-AF3C-F869B5BABEBB} | value_name = Disabled |
|
1 | |
| Read Value | - | value_name = ActivationType, type = REG_NONE |
|
5 | |
| Read Value | - | value_name = Threading, type = REG_NONE |
|
4 | |
| Read Value | - | value_name = TrustLevel, type = REG_NONE |
|
5 | |
| Read Value | - | value_name = ActivateAsUser, type = REG_NONE |
|
4 | |
| Read Value | TreatAs | type = REG_NONE |
|
15 | |
| Read Value | - | data = 0 |
|
27 | |
| Read Value | - | data = Network List Manager |
|
1 | |
| Read Value | InprocHandler32 | - |
|
15 | |
| Read Value | InprocHandler | - |
|
15 | |
| Read Value | - | data = PSFactoryBuffer |
|
2 | |
| Read Value | - | value_name = InprocServer32 |
|
13 | |
| Read Value | - | data = C:\Windows\System32\npmproxy.dll |
|
1 | |
| Read Value | - | value_name = ThreadingModel, data = Both |
|
12 | |
| Read Value | - | data = Sync root manager |
|
1 | |
| Read Value | - | data = C:\Windows\System32\shell32.dll |
|
1 | |
| Read Value | - | - |
|
1 | |
| Read Value | - | data = C:\Windows\system32\dataexchange.dll |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | value_name = DisplayVersion, type = REG_NONE |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = PaintDesktopVersion, type = REG_NONE |
|
6 | |
| Read Value | - | data = Authentication UI Legacy Shutdown Dialog |
|
1 | |
| Read Value | - | data = C:\Windows\system32\shutdownux.dll |
|
1 | |
| Read Value | - | value_name = ThreadingModel, data = Apartment |
|
1 | |
| Read Value | - | value_name = Reason Setting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoDisconnect |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoDisconnect |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoLogoff |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoLogoff |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings | value_name = ShowHibernateOption |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings | value_name = ShowSleepOption |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU | value_name = NoAUShutdownOption |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU | value_name = NoAUShutdownOption |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU | value_name = NoAUAsDefaultShutdownOption |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU | value_name = NoAUAsDefaultShutdownOption |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search | value_name = UseApp |
|
9 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search | value_name = SearchboxTaskbarMode, type = REG_NONE |
|
9 | |
| Read Value | - | data = Start Menu Cache |
|
1 | |
| Read Value | - | data = C:\Windows\system32\shell32.dll |
|
1 | |
| Read Value | - | data = Connected Account Services |
|
1 | |
| Read Value | - | data = C:\Windows\system32\SettingSyncCore.dll |
|
1 | |
| Read Value | - | value_name = ActivateAsUser, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TokenBroker\DefaultAccount | value_name = providerId, type = REG_NONE |
|
3 | |
| Read Value | - | data = Identity Store |
|
1 | |
| Read Value | - | data = C:\Windows\System32\IDStore.dll |
|
2 | |
| Read Value | - | data = Connected User Store |
|
1 | |
| Read Value | W32:00000000000301F2 | value_name = VirtualDesktop, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = AutoColorization |
|
1 | |
| Read Value | - | data = ShellItem Shell Namespace helper |
|
1 | |
| Read Value | - | data = C:\Windows\system32\windows.storage.dll |
|
1 | |
| Read Value | - | data = ShellWindows |
|
1 | |
| Read Value | - | data = PSOAInterface |
|
1 | |
| Read Value | - | data = C:\Windows\System32\oleaut32.dll |
|
2 | |
| Read Value | - | type = REG_NONE |
|
6 | |
| Read Value | - | data = PSDispatch |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Launcher | value_name = AllowAutoAppRestartOnCrash |
|
2 | |
| Read Value | - | data = Memory Mapped Cache Mgr |
|
1 | |
| Read Value | - | data = C:\Windows\system32\propsys.dll |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GameDVR | value_name = VKToggleGameBar, type = REG_NONE |
|
2 | |
| Read Value | - | value_name = Threading, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = IdentityType, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = Permissions, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = ServerType, type = REG_NONE |
|
1 | |
| Read Value | - | data = C:\Windows\System32\\Windows.StateRepository.dll |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender | value_name = DisableAntiSpyware, type = REG_NONE |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection | value_name = DisableRealtimeMonitoring, type = REG_NONE |
|
2 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, size = 8, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 118, type = REG_SZ |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 |
Process (647)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
647 |
Module (239)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7ff8ee190000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7ff8edfe0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7ff8ebdc0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7ff8ee240000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ff8ec300000 |
|
1 | |
| Load | ADVAPI32.DLL | base_address = 0x7ff8ee190000 |
|
1 | |
| Get Handle | Unknown module name | base_address = 0x7ff79fdc0000 |
|
1 | |
| Get Handle | KERNEL32.DLL | base_address = 0x7ff8ee2d0000 |
|
5 | |
| Get Handle | NTDLL.DLL | base_address = 0x7ff8ee380000 |
|
2 | |
| Get Handle | kernelbase | base_address = 0x7ff8eb870000 |
|
2 | |
| Get Handle | ADVAPI32.DLL | base_address = 0x7ff8ee190000 |
|
3 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
2 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0x61ffbc0 |
|
1 | |
| Get Address | Unknown module name | function = IsWow64Process, address_out = 0x7ff8ee2ee960 |
|
1 | |
| Get Address | Unknown module name | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ff8ee1ad610 |
|
1 | |
| Get Address | Unknown module name | function = StrRChrA, address_out = 0x7ff8edff4dd0 |
|
1 | |
| Get Address | Unknown module name | function = wsprintfA, address_out = 0x7ff8ebde2610 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyA, address_out = 0x7ff8ee1ab9e0 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7ff8ee1a7dd0 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7ff8ee1a72e0 |
|
1 | |
| Get Address | Unknown module name | function = StrToIntExA, address_out = 0x7ff8edff4e70 |
|
1 | |
| Get Address | Unknown module name | function = StrChrA, address_out = 0x7ff8edff4cc0 |
|
1 | |
| Get Address | Unknown module name | function = StrTrimA, address_out = 0x7ff8edff4e80 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7ff8ee1bec40 |
|
1 | |
| Get Address | Unknown module name | function = EnumProcessModules, address_out = 0x7ff8ee241040 |
|
1 | |
| Get Address | Unknown module name | function = StrStrIW, address_out = 0x7ff8edfeb260 |
|
1 | |
| Get Address | Unknown module name | function = RegEnumValueW, address_out = 0x7ff8ee1a7220 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExA, address_out = 0x7ff8ee192680 |
|
1 | |
| Get Address | Unknown module name | function = RegCreateKeyA, address_out = 0x7ff8ee1d6dc0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExA, address_out = 0x7ff8ee1a7d70 |
|
1 | |
| Get Address | Unknown module name | function = CreateStreamOnHGlobal, address_out = 0x7ff8edd870a0 |
|
1 | |
| Get Address | Unknown module name | function = PathFindFileNameA, address_out = 0x7ff8edfecf30 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowsHookExA, address_out = 0x7ff8ebdc27a0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterClassA, address_out = 0x7ff8ebde1310 |
|
1 | |
| Get Address | Unknown module name | function = CreateWindowExA, address_out = 0x7ff8ebde4df0 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowLongPtrA, address_out = 0x7ff8ebdccae0 |
|
1 | |
| Get Address | Unknown module name | function = DefWindowProcA, address_out = 0x7ff8ee413230 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowLongPtrA, address_out = 0x7ff8ebdd61f0 |
|
1 | |
| Get Address | Unknown module name | function = GetMessageA, address_out = 0x7ff8ebddaa50 |
|
1 | |
| Get Address | Unknown module name | function = TranslateMessage, address_out = 0x7ff8ebdd36a0 |
|
1 | |
| Get Address | Unknown module name | function = DispatchMessageA, address_out = 0x7ff8ebde61e0 |
|
1 | |
| Get Address | Unknown module name | function = SetClipboardViewer, address_out = 0x7ff8ebdf0de0 |
|
1 | |
| Get Address | Unknown module name | function = PostMessageA, address_out = 0x7ff8ebde4900 |
|
1 | |
| Get Address | Unknown module name | function = OpenClipboard, address_out = 0x7ff8ebdeb6c0 |
|
1 | |
| Get Address | Unknown module name | function = GetClipboardData, address_out = 0x7ff8ebdeaba0 |
|
1 | |
| Get Address | Unknown module name | function = CloseClipboard, address_out = 0x7ff8ebdf0920 |
|
1 | |
| Get Address | Unknown module name | function = StrCmpIW, address_out = 0x7ff8edfebe50 |
|
1 | |
| Get Address | Unknown module name | function = CallNextHookEx, address_out = 0x7ff8ebdd52d0 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExW, address_out = 0x7ff8ee1a7850 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = {67C589E2-FFD9-6764-3673-CA57D81D8CA1}, wndproc_parameter = 218331264 |
|
1 | |
| Create | - | class_name = {BEBDECA2-8399-9824-F633-8A1798DD4C61}, wndproc_parameter = 218330896 |
|
1 |
System (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Clipboard | format = 1 |
|
1 | |
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = Ticks, time = 142796 |
|
1 | |
| Get Time | type = System Time, time = 2018-10-30 17:04:02 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 143375 |
|
2 | |
| Register Hook | type = WH_KEYBOARD_LL, hookproc_address = 0xd00045c |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {CEF02F91-D541-3029-CFE2-D96473361DD8} |
|
1 | |
| Create | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} |
|
1 | |
| Create | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} |
|
1 | |
| Create | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 |
Process #8: autoclb.exe
1159
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Autostart |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x590 |
| Parent PID | 0x810 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8A0
0x
89C
0x
894
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00260000 | 0x0031dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00321fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00340fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| autoclb.exe | 0x00400000 | 0x0054efff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x00b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x01f5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x0205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002150000 | 0x02150000 | 0x0215ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0235ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0235ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002360000 | 0x02360000 | 0x0275ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x02aeffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x0301ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x03020000 | 0x03356fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003360000 | 0x03360000 | 0x03521fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003360000 | 0x03360000 | 0x03492fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000034a0000 | 0x034a0000 | 0x03661fff | Private Memory | rw |
|
|
|
- |
| wow64.dll | 0x71310000 | 0x7135efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x71360000 | 0x713d2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x713e0000 | 0x713e7fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x74250000 | 0x74270fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x74280000 | 0x742c3fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x742d0000 | 0x74344fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74350000 | 0x74558fff | Memory Mapped File | rwx |
|
|
|
- |
| tapi32.dll | 0x74560000 | 0x74593fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x745a0000 | 0x745aefff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745b0000 | 0x745b7fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x745c0000 | 0x74651fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74660000 | 0x746b8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x746c0000 | 0x746c9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x746d0000 | 0x746edfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x746f0000 | 0x74865fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74870000 | 0x74d4cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74d50000 | 0x74dcafff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x74dd0000 | 0x74e61fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74e70000 | 0x74e7efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74ee0000 | 0x74f8bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f90000 | 0x75149fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x75150000 | 0x7515bfff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x75160000 | 0x751ecfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x75330000 | 0x75373fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75380000 | 0x7546ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x755e0000 | 0x7699efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x769a0000 | 0x769adfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x769b0000 | 0x76b24fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76b30000 | 0x76c4ffff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76cb0000 | 0x76d99fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76da0000 | 0x76de2fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76e50000 | 0x76e7afff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76e80000 | 0x76eb5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76ed0000 | 0x76f8dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76fa0000 | 0x770ecfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x77100000 | 0x77141fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77150000 | 0x77193fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x771a0000 | 0x772dffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x77410000 | 0x775b4fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775c0000 | 0x77738fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffd58c2ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffd58c30000 | 0x7ffd58df1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffd58df2000 | 0x7ffd58df2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw | - |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (121)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER | - |
|
71 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER | value_name = Value, data = 0 |
|
38 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\svchost.exe | os_pid = 0x910, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Suspend | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x894 |
|
1 | |
| Get Context | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x894 |
|
2 | |
| Set Context | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x894 |
|
1 | |
| Resume | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x894 |
|
2 |
Memory (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff64e653440, protection = PAGE_EXECUTE_READWRITE, size = 46069240 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff64e653000, protection = PAGE_EXECUTE_READ, size = 46069240 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0xf30000, size = 792 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x7ff64e653440, size = 4 |
|
1 |
Module (218)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x775c0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77150000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x77410000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75380000 |
|
1 | |
| Load | USER32.dll | base_address = 0x771a0000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74d50000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x755e0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x76cb0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75380000 |
|
13 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x775c0000 |
|
19 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x74d50000 |
|
2 | |
| Get Handle | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | base_address = 0x400000 |
|
3 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x771a0000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7539a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75397580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75399910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7539f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7761f190 |
|
8 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7761a200 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75399680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x7762ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77630010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x7762e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77613010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x7762e7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x7761fcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x7761aca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77628d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77628f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77629d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77628df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77628cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77628e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77628e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77628e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77629080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x775fb940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x7760e040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x7762c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77628e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x7716cd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x77166a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x771680d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x7716cd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x77171db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x771726c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x771683a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x77167c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x77172900 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x774619a0 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiGetClassDevsA, address_out = 0x77438d10 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiEnumDeviceInfo, address_out = 0x77425620 |
|
1 | |
| Get Address | c:\windows\syswow64\setupapi.dll | function = SetupDiDestroyDeviceInfoList, address_out = 0x77425340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x753925e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x7539f4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x753a74f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75399640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7539a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77622570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x753a5f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75399700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x7539d940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75399950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x753a60c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x753bd410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x753a6510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75392d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x7539e320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x75399f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x753a64f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x753a5f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x753a62a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x753a6410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75392db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x753a6270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x775fda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75397540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75397940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x753a60d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x753a57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x753bd320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x753a61d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x753a6170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x753a6130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x753a60b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x753a6590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x753a6380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x753c0960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x753a6150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x753a61b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x753a6180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x7539db30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x7539a280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x7539ed00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7539c1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x7539f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x753987c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x753c0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x753977b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x753a3a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x7539efc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x753a6110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x753a64a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7539c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x753a6140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x753c2a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x753a6210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7539a040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75399560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x753a6360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x753992b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x753c0a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75398b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75397610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75398c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75392af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75391d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7539a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x753947c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x753a6530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x753a63f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x771cea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x771d31c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x771d0980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x771cddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x7721cf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74d6ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x74d72520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74d6f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x74d70ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74d9bda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74d6f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x74d70f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x74d70ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74d6ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x74d731a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x74d70750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x74d73150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74d6ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74d6efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x74d6ee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x74d6f000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x75774370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x75774cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x75857560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x74ffdca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x74ffcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x753996e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x771bba70 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64EnableWow64FsRedirection, address_out = 0x753bb6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64QueryInformationProcess64, address_out = 0x7762a840 |
|
15 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64ReadVirtualMemory64, address_out = 0x7762a860 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, SEC_RESERVE, maximum_size = 4194304 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 46069208 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3360000 |
|
1 | |
| Map | - | process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xdf0000 |
|
1 |
Window (3)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | - | class_name = ProgMan |
|
2 | |
| Set Attribute | - | index = 18446744073709551596, new_long = 128 |
|
1 |
System (786)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 258, y_out = 857 |
|
699 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
10 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-10-30 06:04:59 (UTC) |
|
70 | |
| Get Time | type = System Time, time = 2018-10-30 06:05:01 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 43156 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #9: svchost.exe
307
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x910 |
| Parent PID | 0x590 (c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
550
0x
44C
0x
2E0
0x
450
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00f22fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f30fff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007fe6f000 | 0x7fe6f000 | 0x7fe6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ac6ddf0000 | 0xac6ddf0000 | 0xac6de0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ac6ddf0000 | 0xac6ddf0000 | 0xac6ddfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xac6de00000 | 0xac6de00fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ac6de10000 | 0xac6de10000 | 0xac6de23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ac6de30000 | 0xac6de30000 | 0xac6deaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ac6deb0000 | 0xac6deb0000 | 0xac6deb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ac6dec0000 | 0xac6dec0000 | 0xac6dec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ac6ded0000 | 0xac6ded0000 | 0xac6ded1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xac6dee0000 | 0xac6df9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ac6dfa0000 | 0xac6dfa0000 | 0xac6dfa0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6dfb0000 | 0xac6dfb0000 | 0xac6dfb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6dfc0000 | 0xac6dfc0000 | 0xac6dfc6fff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0xac6dfd0000 | 0xac6dfd1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ac6e000000 | 0xac6e000000 | 0xac6e0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6e100000 | 0xac6e100000 | 0xac6e17ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6e180000 | 0xac6e180000 | 0xac6e1ccfff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0xac6e180000 | 0xac6e1b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ac6e1c0000 | 0xac6e1c0000 | 0xac6e1ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6e1d0000 | 0xac6e1d0000 | 0xac6e3cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6e200000 | 0xac6e200000 | 0xac6e2fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ac6e300000 | 0xac6e300000 | 0xac6e487fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ac6e490000 | 0xac6e490000 | 0xac6e610fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ac6e620000 | 0xac6e620000 | 0xac6fa1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ac6fa20000 | 0xac6fa20000 | 0xac6fa7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6fa80000 | 0xac6fa80000 | 0xac6fc7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6fa80000 | 0xac6fa80000 | 0xac6faecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6fb00000 | 0xac6fb00000 | 0xac6fbfffff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0xac6fc00000 | 0xac6fcbcfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ac6fc00000 | 0xac6fc00000 | 0xac6fdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6fc00000 | 0xac6fc00000 | 0xac6fcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6fd00000 | 0xac6fd00000 | 0xac6fefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6fd00000 | 0xac6fd00000 | 0xac6fdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6fe00000 | 0xac6fe00000 | 0xac6fffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6fe00000 | 0xac6fe00000 | 0xac6fefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6ff00000 | 0xac6ff00000 | 0xac700fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac6ff00000 | 0xac6ff00000 | 0xac6fffffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xac70000000 | 0xac70336fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ac70340000 | 0xac70340000 | 0xac70472fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x00007df5ff250000 | 0x7df5ff250000 | 0x7ff5ff24ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff64e300000 | 0x7ff64e300000 | 0x7ff64e3fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff64e400000 | 0x7ff64e400000 | 0x7ff64e422fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64e42b000 | 0x7ff64e42b000 | 0x7ff64e42cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64e42d000 | 0x7ff64e42d000 | 0x7ff64e42efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64e42f000 | 0x7ff64e42f000 | 0x7ff64e42ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff64e650000 | 0x7ff64e65cfff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x7ffd459b0000 | 0x7ffd459dbfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x7ffd459e0000 | 0x7ffd45a02fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffd4e790000 | 0x7ffd4e839fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x7ffd51600000 | 0x7ffd5161bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x7ffd51620000 | 0x7ffd51648fff | Memory Mapped File | rwx |
|
|
|
- |
| avifil32.dll | 0x7ffd53d30000 | 0x7ffd53d4ffff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffd53fd0000 | 0x7ffd53ff6fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffd55280000 | 0x7ffd552abfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffd55680000 | 0x7ffd556c9fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffd556d0000 | 0x7ffd556e2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffd556f0000 | 0x7ffd556fefff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffd55700000 | 0x7ffd55743fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffd55a30000 | 0x7ffd56057fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffd56060000 | 0x7ffd56112fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffd56120000 | 0x7ffd562fcfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffd563e0000 | 0x7ffd5648cfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffd56490000 | 0x7ffd565d0fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffd565e0000 | 0x7ffd56764fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffd56770000 | 0x7ffd5680cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffd569e0000 | 0x7ffd56b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ffd56ba0000 | 0x7ffd56ba7fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffd56d80000 | 0x7ffd56ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffd57010000 | 0x7ffd5715dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffd57160000 | 0x7ffd58684fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffd58690000 | 0x7ffd586e0fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffd58840000 | 0x7ffd5889afff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffd588a0000 | 0x7ffd588d5fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffd589a0000 | 0x7ffd58ac5fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffd58b80000 | 0x7ffd58c25fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffd58c30000 | 0x7ffd58df1fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0x894 | address = 0xdf0000, size = 1257472 |
|
1 | |
| Modify Memory | #8: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0x894 | address = 0xf30000, size = 792 |
|
1 | |
| Modify Control Flow | #8: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0x894 | os_tid = 0x550, address = 0x4e42f000 |
|
1 | |
| Modify Memory | #8: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0x894 | address = 0x7ff64e653440, size = 4 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSTEM32\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Read | C:\Windows\SYSTEM32\ntdll.dll | size = 4, size_out = 4 |
|
3 |
Registry (11)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Scr, type = REG_NONE |
|
1 |
Process (35)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
34 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\windows\explorer.exe | proc_address = 0x7ffd58c39fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x2ec |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x2ec |
|
2 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x2ec |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x2ec |
|
2 |
Memory (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\windows\explorer.exe | address = 0xac6deae950, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 740578486616 |
|
1 | |
| Protect | c:\windows\explorer.exe | address = 0x7ffd58c39fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 |
|
2 | |
| Protect | c:\windows\explorer.exe | address = 0x7ffd58c39fa0, protection = PAGE_EXECUTE_READ, size = 4 |
|
2 | |
| Read | c:\windows\explorer.exe | address = 0x7ffd58c39fa0, size = 4 |
|
1 | |
| Write | c:\windows\explorer.exe | address = 0x7ffd58c39fa0, size = 4 |
|
2 | |
| Write | c:\windows\explorer.exe | address = 0x9ee0000, size = 792 |
|
1 |
Module (225)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7ffd58b80000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7ffd58690000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7ffd57010000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7ffd56ba0000 |
|
1 | |
| Get Handle | c:\windows\system32\svchost.exe | base_address = 0x7ff64e650000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffd563e0000 |
|
5 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ffd58c30000 |
|
4 | |
| Get Handle | c:\windows\system32\kernelbase.dll | base_address = 0x7ffd56120000 |
|
1 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7ffd58b80000 |
|
2 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 |
|
2 | |
| Get Filename | c:\windows\system32\ntdll.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
3 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0xac6deaf7c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffd563fe960 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffd58b9d610 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrRChrA, address_out = 0x7ffd586a4dd0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x7ffd57032610 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyA, address_out = 0x7ffd58b9b9e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffd58b97dd0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffd58b972e0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrToIntExA, address_out = 0x7ffd586a4e70 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrChrA, address_out = 0x7ffd586a4cc0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrTrimA, address_out = 0x7ffd586a4e80 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffd58baec40 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModules, address_out = 0x7ffd56ba1040 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIW, address_out = 0x7ffd5869b260 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetShellWindow, address_out = 0x7ffd57034060 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7ffd57024040 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlExitUserThread, address_out = 0x7ffd58c39fa0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyA, address_out = 0x7ffd58bc6dc0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffd58b97d70 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 740578488048 |
|
1 | |
| Map | - | process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xac70340000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9da0000 |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 49437 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {365593F7-1DCB-D8D1-57CA-A18C7B9E6580} |
|
1 |
Process #10: explorer.exe
1394
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:09, Reason: Injection |
| Unmonitor | End Time: 00:04:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x810 |
| Parent PID | 0x7e4 (c:\windows\system32\userinit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2E8
0x
458
0x
510
0x
B98
0x
B8C
0x
B78
0x
B6C
0x
B68
0x
B4C
0x
B48
0x
B40
0x
B3C
0x
B30
0x
B28
0x
B20
0x
B14
0x
AF4
0x
AE8
0x
AE0
0x
ADC
0x
AD4
0x
AD0
0x
ACC
0x
AC0
0x
AB8
0x
AB0
0x
AAC
0x
A98
0x
97C
0x
960
0x
94C
0x
944
0x
940
0x
938
0x
934
0x
930
0x
92C
0x
91C
0x
90C
0x
904
0x
900
0x
8FC
0x
8F4
0x
8F0
0x
8EC
0x
8E0
0x
8DC
0x
8D8
0x
8D4
0x
8C8
0x
8C4
0x
8C0
0x
8BC
0x
890
0x
878
0x
874
0x
870
0x
86C
0x
864
0x
860
0x
85C
0x
858
0x
854
0x
850
0x
84C
0x
844
0x
840
0x
838
0x
830
0x
82C
0x
828
0x
824
0x
820
0x
818
0x
814
0x
2EC
0x
2CC
0x
880
0x
4E0
0x
14C
0x
4FC
0x
9E4
0x
BC4
0x
B84
0x
BE8
0x
EC
0x
548
0x
67C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e46fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f20000 | 0x00fddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x01066fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x01070000 | 0x01077fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x01080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x01090fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x010a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x011fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01387fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001390000 | 0x01390000 | 0x01510fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001520000 | 0x01520000 | 0x0291ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02920000 | 0x02c56fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0x02c60000 | 0x02c63fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001d.db | 0x02c70000 | 0x02c83fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002c90000 | 0x02c90000 | 0x02c90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x02e9ffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x02ea0000 | 0x02f00fff | Memory Mapped File | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db | 0x02f10000 | 0x02f2bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002f30000 | 0x02f30000 | 0x02f32fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002f40000 | 0x02f40000 | 0x02f42fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002f50000 | 0x02f50000 | 0x02f79fff | Pagefile Backed Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02f80000 | 0x0305efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x030dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030e0000 | 0x030e0000 | 0x0315ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003160000 | 0x03160000 | 0x031dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000031e0000 | 0x031e0000 | 0x031e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000031f0000 | 0x031f0000 | 0x031f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x03200000 | 0x03201fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x03210000 | 0x03214fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000003220000 | 0x03220000 | 0x032d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000032e0000 | 0x032e0000 | 0x032e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x033effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033f0000 | 0x033f0000 | 0x034effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000034f0000 | 0x034f0000 | 0x034f0fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03500000 | 0x0453ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x04546fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x04550fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x04560fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x04570fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x045fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x04601fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x04610fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004620000 | 0x04620000 | 0x04620fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x04630fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004640000 | 0x04640000 | 0x04642fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x04650000 | 0x04653fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x04660fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04670fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x04680fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004690000 | 0x04690000 | 0x04692fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000046a0000 | 0x046a0000 | 0x046d8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x046e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046f0000 | 0x046f0000 | 0x046f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004700000 | 0x04700000 | 0x04702fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x04710000 | 0x04713fff | Memory Mapped File | r |
|
|
|
- |
| stobject.dll.mui | 0x04720000 | 0x04721fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004730000 | 0x04730000 | 0x04732fff | Pagefile Backed Memory | r |
|
|
|
- |
| inputswitch.dll.mui | 0x04740000 | 0x04741fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x04750fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004760000 | 0x04760000 | 0x04762fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004770000 | 0x04770000 | 0x04771fff | Pagefile Backed Memory | r |
|
|
|
- |
| sndvolsso.dll.mui | 0x04780000 | 0x04781fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x0480ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x0488ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004890000 | 0x04890000 | 0x04892fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x048a0000 | 0x048a3fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x048b0000 | 0x048f2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x04900000 | 0x04903fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x04910000 | 0x0499afff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x049a0000 | 0x049b0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x04a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x0544ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000005450000 | 0x05450000 | 0x05941fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005950000 | 0x05950000 | 0x05950fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005960000 | 0x05960000 | 0x059dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000059e0000 | 0x059e0000 | 0x05a5ffff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x05a60000 | 0x05a61fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0x05a70000 | 0x05b6ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005b70000 | 0x05b70000 | 0x05bb7fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005bc0000 | 0x05bc0000 | 0x05c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005c40000 | 0x05c40000 | 0x05cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005cc0000 | 0x05cc0000 | 0x05d3ffff | Private Memory | rw |
|
|
|
- |
| windows.storage.dll.mui | 0x05d40000 | 0x05d47fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005d50000 | 0x05d50000 | 0x05d52fff | Pagefile Backed Memory | r |
|
|
|
- |
| winnlsres.dll | 0x05d60000 | 0x05d64fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x05d70000 | 0x05d7ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005d80000 | 0x05d80000 | 0x05dfffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x05e00000 | 0x05e02fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005e10000 | 0x05e10000 | 0x05e10fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005e20000 | 0x05e20000 | 0x05e20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e30000 | 0x05e30000 | 0x05e30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e40000 | 0x05e40000 | 0x05e4dfff | Private Memory | rw |
|
|
|
- |
| pnidui.dll.mui | 0x05e50000 | 0x05e51fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005e60000 | 0x05e60000 | 0x05f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005f60000 | 0x05f60000 | 0x05f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005f70000 | 0x05f70000 | 0x05f72fff | Pagefile Backed Memory | r |
|
|
|
- |
| bthprops.cpl.mui | 0x05f80000 | 0x05f83fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005f90000 | 0x05f90000 | 0x05f90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005fa0000 | 0x05fa0000 | 0x05fa8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005fb0000 | 0x05fb0000 | 0x05fb3fff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05fc0000 | 0x05fc1fff | Memory Mapped File | rw |
|
|
|
- |
| netmsg.dll | 0x05fd0000 | 0x05fd0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005fe0000 | 0x05fe0000 | 0x05fe8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005ff0000 | 0x05ff0000 | 0x05ff0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006000000 | 0x06000000 | 0x060fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006100000 | 0x06100000 | 0x06102fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006110000 | 0x06110000 | 0x06157fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006160000 | 0x06160000 | 0x061a7fff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x061b0000 | 0x062affff | Memory Mapped File | rw |
|
|
|
- |
| netmsg.dll.mui | 0x062b0000 | 0x062e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000062f0000 | 0x062f0000 | 0x0636ffff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x06370000 | 0x06371fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_48.db | 0x06380000 | 0x0647ffff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x06480000 | 0x06481fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000006490000 | 0x06490000 | 0x06492fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000064a0000 | 0x064a0000 | 0x064a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064b0000 | 0x064b0000 | 0x064b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000064c0000 | 0x064c0000 | 0x064c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| thumbcache_idx.db | 0x064d0000 | 0x064d1fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x064e0000 | 0x064e1fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000064f0000 | 0x064f0000 | 0x064f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000006500000 | 0x06500000 | 0x0657ffff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x06580000 | 0x06581fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000006590000 | 0x06590000 | 0x0660ffff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x06610000 | 0x06611fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_48.db | 0x06620000 | 0x0671ffff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_48.db | 0x06720000 | 0x0681ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000006820000 | 0x06820000 | 0x0689ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068a0000 | 0x068a0000 | 0x068e8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068f0000 | 0x068f0000 | 0x0696ffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 376 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #9: c:\windows\system32\svchost.exe | 0x550 | address = 0x7ffd58c39fa0 |
|
1 | |
| Modify Memory | #9: c:\windows\system32\svchost.exe | 0x550 | address = 0x7ffd58c39fa0, size = 4 |
|
2 | |
| Modify Memory | #9: c:\windows\system32\svchost.exe | 0x550 | address = 0x9da0000, size = 1257472 |
|
1 | |
| Modify Memory | #9: c:\windows\system32\svchost.exe | 0x550 | address = 0x9ee0000, size = 792 |
|
1 | |
| Modify Control Flow | #9: c:\windows\system32\svchost.exe | 0x550 | os_tid = 0x2ec, address = 0x0 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | pipe\{072bb6f5-baec-d114-fc2b-8e95f08fa299} | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 |
|
1 |
Registry (537)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Install, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, type = REG_BINARY |
|
2 | |
| Read Value | TreatAs | type = REG_NONE |
|
29 | |
| Read Value | - | data = 0 |
|
50 | |
| Read Value | - | data = psfactorybuffer |
|
1 | |
| Read Value | - | value_name = InprocServer32 |
|
25 | |
| Read Value | - | data = C:\Windows\System32\BitsProxy.dll |
|
1 | |
| Read Value | - | value_name = ThreadingModel, data = both |
|
1 | |
| Read Value | InprocHandler32 | - |
|
29 | |
| Read Value | InprocHandler | - |
|
29 | |
| Read Value | - | data = ShellItem Shell Namespace helper |
|
1 | |
| Read Value | - | data = C:\Windows\system32\windows.storage.dll |
|
4 | |
| Read Value | - | value_name = ThreadingModel, data = Both |
|
14 | |
| Read Value | - | data = Immersive Shell |
|
2 | |
| Read Value | - | data = PSFactoryBuffer |
|
3 | |
| Read Value | - | data = C:\Windows\System32\ActXPrxy.dll |
|
1 | |
| Read Value | - | - |
|
4 | |
| Read Value | - | data = C:\Windows\system32\windowscodecs.dll |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | value_name = DisplayVersion, type = REG_NONE |
|
55 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = PaintDesktopVersion, type = REG_NONE |
|
55 | |
| Read Value | - | data = Shared Task Scheduler |
|
2 | |
| Read Value | - | value_name = ThreadingModel, data = Apartment |
|
7 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace | value_name = ValidateRegItems |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace | value_name = MonitorRegistry, data = 1 |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace | value_name = ValidateRegItems |
|
16 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace | value_name = MonitorRegistry |
|
16 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | value_name = {9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} {000214E6-0000-0000-C000-000000000046} 0xFFFF, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions | value_name = HasFlushedShellExtCache, type = REG_NONE |
|
1 | |
| Read Value | - | data = Sync Center Folder |
|
1 | |
| Read Value | - | data = C:\Windows\System32\SyncCenter.dll |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace | value_name = ValidateRegItems |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace | value_name = MonitorRegistry |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders | value_name = StorageDelegateSuppressionPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders | value_name = StorageDelegate, type = REG_NONE |
|
1 | |
| Read Value | - | data = Shell File System Folder |
|
1 | |
| Read Value | - | data = C:\Windows\system32\Windows.Storage.dll |
|
1 | |
| Read Value | - | value_name = UIStatus, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = OnlyMember, type = REG_NONE |
|
1 | |
| Read Value | - | data = This PC |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace | value_name = ValidateRegItems |
|
5 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace | value_name = MonitorRegistry |
|
5 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives | value_name = ValidateRegItems |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives | value_name = MonitorRegistry |
|
1 | |
| Read Value | Storage | value_name = FilterMask, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | value_name = NeverShowDrivesMask, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | value_name = HideDrivesWithNoMedia, type = REG_NONE |
|
1 | |
| Read Value | - | data = Property System Both Class Factory |
|
1 | |
| Read Value | - | data = C:\Windows\system32\propsys.dll |
|
2 | |
| Read Value | - | type = REG_NONE |
|
2 | |
| Read Value | - | data = Local Thumbnail Cache |
|
1 | |
| Read Value | - | data = C:\Windows\System32\thumbcache.dll |
|
2 | |
| Read Value | - | data = Windows Search Platform |
|
1 | |
| Read Value | - | data = Home Group Member Status |
|
1 | |
| Read Value | - | data = C:\Windows\System32\provsvc.dll |
|
1 | |
| Read Value | - | data = Thumbnail Cache Class Factory for Out of Proc Server |
|
1 | |
| Read Value | - | data = Shell Oplock Provider |
|
1 | |
| Read Value | - | data = C:\Windows\system32\shcore.dll |
|
1 | |
| Read Value | - | value_name = ActivationType, type = REG_NONE |
|
3 | |
| Read Value | - | value_name = Threading, type = REG_NONE |
|
3 | |
| Read Value | - | value_name = TrustLevel, type = REG_NONE |
|
3 | |
| Read Value | - | value_name = ActivateAsUser, type = REG_NONE |
|
3 | |
| Read Value | - | data = Network List Manager |
|
1 | |
| Read Value | - | data = Windows.Networking.Connectivity.ProxyStubFactory |
|
1 | |
| Read Value | - | data = C:\Windows\System32\Windows.Networking.Connectivity.dll |
|
1 | |
| Read Value | - | data = Sync root manager |
|
1 | |
| Read Value | - | data = C:\Windows\System32\shell32.dll |
|
1 | |
| Read Value | - | data = C:\Windows\System32\npmproxy.dll |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{9DAC2C1E-7C5C-40EB-833B-323E85A1CE84} | value_name = Disabled |
|
1 | |
| Read Value | - | data = C:\Windows\System32\wscinterop.dll |
|
1 | |
| Read Value | - | value_name = CheckSetting, type = REG_NONE |
|
38 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{CA236752-2E77-4386-B63B-0E34774A413D} | value_name = Disabled |
|
1 | |
| Read Value | - | data = C:\Windows\System32\werconcpl.dll |
|
1 | |
| Read Value | - | value_name = Disabled, type = REG_NONE |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4} | value_name = Disabled |
|
1 | |
| Read Value | - | data = User Account Control Check Provider |
|
1 | |
| Read Value | - | data = C:\Windows\System32\hcproviders.dll |
|
4 | |
| Read Value | - | value_name = ThreadingModel, data = Free |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | value_name = EnableLUA, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | value_name = ConsentPromptBehaviorAdmin, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | value_name = PromptOnSecureDesktop, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{088E8DFB-2464-4C21-BAD2-F0AA6DB5D4BC} | value_name = Disabled |
|
1 | |
| Read Value | - | data = SmartScreen Settings Check Provider |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System | value_name = EnableSmartScreen, type = REG_NONE |
|
2 | |
| Read Value | - | value_name = SmartScreenEnabled, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{D26DE5C1-C061-43F7-9C40-7517526CF1C1} | value_name = Disabled |
|
1 | |
| Read Value | - | data = Startup App Check Provider |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\StartupNotify | value_name = EnableStartupAppNotification, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{6AE07DC1-0244-4C6F-9AB0-5017A56357C3} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018} | value_name = Disabled |
|
1 | |
| Read Value | - | value_name = LastKnownState, type = REG_NONE |
|
5 | |
| Read Value | - | data = User Account Control Check Service |
|
1 | |
| Read Value | - | value_name = CheckSetting, type = REG_NONE |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78} | value_name = Disabled |
|
1 | |
| Read Value | - | value_name = LastKnownState, type = REG_NONE |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{134EA407-755D-4A93-B8A6-F290CD155023} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{B447B4DB-7780-11E0-ADA3-18A90531A85A} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{2374911B-B114-42FE-900D-54F95FEE92E5} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{96F4A050-7E31-453C-88BE-9634F4E02139} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{AA4C798D-D91B-4B07-A013-787F5803D6FC} | value_name = Disabled |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{34A3697E-0F10-4E48-AF3C-F869B5BABEBB} | value_name = Disabled |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 |
Process (583)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
583 |
Module (237)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7ffd58b80000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7ffd58690000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7ffd57010000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7ffd56ba0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffd56490000 |
|
1 | |
| Load | ADVAPI32.DLL | base_address = 0x7ffd58b80000 |
|
1 | |
| Get Handle | Unknown module name | base_address = 0x7ff70c660000 |
|
1 | |
| Get Handle | KERNEL32.DLL | base_address = 0x7ffd563e0000 |
|
5 | |
| Get Handle | NTDLL.DLL | base_address = 0x7ffd58c30000 |
|
2 | |
| Get Handle | kernelbase | base_address = 0x7ffd56120000 |
|
2 | |
| Get Handle | ADVAPI32.DLL | base_address = 0x7ffd58b80000 |
|
3 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
2 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0x9d9fcb0 |
|
1 | |
| Get Address | Unknown module name | function = IsWow64Process, address_out = 0x7ffd563fe960 |
|
1 | |
| Get Address | Unknown module name | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffd58b9d610 |
|
1 | |
| Get Address | Unknown module name | function = StrRChrA, address_out = 0x7ffd586a4dd0 |
|
1 | |
| Get Address | Unknown module name | function = wsprintfA, address_out = 0x7ffd57032610 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyA, address_out = 0x7ffd58b9b9e0 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7ffd58b97dd0 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7ffd58b972e0 |
|
1 | |
| Get Address | Unknown module name | function = StrToIntExA, address_out = 0x7ffd586a4e70 |
|
1 | |
| Get Address | Unknown module name | function = StrChrA, address_out = 0x7ffd586a4cc0 |
|
1 | |
| Get Address | Unknown module name | function = StrTrimA, address_out = 0x7ffd586a4e80 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7ffd58baec40 |
|
1 | |
| Get Address | Unknown module name | function = EnumProcessModules, address_out = 0x7ffd56ba1040 |
|
1 | |
| Get Address | Unknown module name | function = StrStrIW, address_out = 0x7ffd5869b260 |
|
1 | |
| Get Address | Unknown module name | function = RegEnumValueW, address_out = 0x7ffd58b97220 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExA, address_out = 0x7ffd58b82680 |
|
1 | |
| Get Address | Unknown module name | function = RegCreateKeyA, address_out = 0x7ffd58bc6dc0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExA, address_out = 0x7ffd58b97d70 |
|
1 | |
| Get Address | Unknown module name | function = CreateStreamOnHGlobal, address_out = 0x7ffd56da70a0 |
|
1 | |
| Get Address | Unknown module name | function = PathFindFileNameA, address_out = 0x7ffd5869cf30 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowsHookExA, address_out = 0x7ffd570127a0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterClassA, address_out = 0x7ffd57031310 |
|
1 | |
| Get Address | Unknown module name | function = CreateWindowExA, address_out = 0x7ffd57034df0 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowLongPtrA, address_out = 0x7ffd5701cae0 |
|
1 | |
| Get Address | Unknown module name | function = DefWindowProcA, address_out = 0x7ffd58cc3230 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowLongPtrA, address_out = 0x7ffd570261f0 |
|
1 | |
| Get Address | Unknown module name | function = GetMessageA, address_out = 0x7ffd5702aa50 |
|
1 | |
| Get Address | Unknown module name | function = TranslateMessage, address_out = 0x7ffd570236a0 |
|
1 | |
| Get Address | Unknown module name | function = DispatchMessageA, address_out = 0x7ffd570361e0 |
|
1 | |
| Get Address | Unknown module name | function = SetClipboardViewer, address_out = 0x7ffd57040de0 |
|
1 | |
| Get Address | Unknown module name | function = PostMessageA, address_out = 0x7ffd57034900 |
|
1 | |
| Get Address | Unknown module name | function = OpenClipboard, address_out = 0x7ffd5703b6c0 |
|
1 | |
| Get Address | Unknown module name | function = GetClipboardData, address_out = 0x7ffd5703aba0 |
|
1 | |
| Get Address | Unknown module name | function = CloseClipboard, address_out = 0x7ffd57040920 |
|
1 | |
| Get Address | Unknown module name | function = StrCmpIW, address_out = 0x7ffd5869be50 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = {B0393975-7C50-236F-7902-BD561384F7F8}, wndproc_parameter = 165705856 |
|
1 | |
| Create | - | class_name = {A4513401-FD6C-D9DB-C57E-C9923F60E394}, wndproc_parameter = 165705488 |
|
1 |
System (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Clipboard | format = 1 |
|
1 | |
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = Ticks, time = 49953 |
|
1 | |
| Get Time | type = System Time, time = 2018-10-30 06:05:08 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 50218 |
|
2 | |
| Register Hook | type = WH_KEYBOARD_LL, hookproc_address = 0x9dd045c |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {36482DDE-1D22-D83C-57CA-A18C7B9E6580} |
|
1 | |
| Create | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} |
|
1 | |
| Create | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} |
|
1 | |
| Create | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 |
