6d365f7901cd47dd0f1169c656d2e442ffabbc3197f0a6d056aee9471e9d9487 (SHA256)
Scan92933944.js
JScript
Created at 2018-05-23 13:36:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: cscript.exe
110
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\windows\system32\cscript.exe |
| Command Line | "C:\Windows\System32\CScript.exe" "C:\Users\5P5NRG~1\Desktop\SCAN92~1.JS" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:51, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:51, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaa0 |
| Parent PID | 0x564 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA4
0x
AB8
0x
ABC
0x
AC8
0x
ACC
0x
AD0
0x
AD4
0x
AD8
0x
ADC
0x
AE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00040000 | 0x000a6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cscript.exe.mui | 0x000d0000 | 0x000d2fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| cscript.exe | 0x00100000 | 0x00113fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x00250000 | 0x002ccfff | Memory Mapped File | Readable |
|
|
|
- |
| rsaenh.dll | 0x00250000 | 0x00294fff | Memory Mapped File | Readable |
|
|
|
- |
| scrrun.dll | 0x00250000 | 0x0025ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00260000 | 0x00260fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | - |
|
|
|
- |
| wshom.ocx | 0x00290000 | 0x002a3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x002c0000 | 0x002c3fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x004e0000 | 0x004fefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001c30000 | 0x01c30000 | 0x01d0efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001d10000 | 0x01d10000 | 0x01d10fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db | 0x01d20000 | 0x01d4ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x01dd0000 | 0x01dd3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001de0000 | 0x01de0000 | 0x01de0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x01f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x020affff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x020b0000 | 0x0237efff | Memory Mapped File | Readable |
|
|
|
- |
| scan92~1.js | 0x02380000 | 0x024b9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x024b9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x02480fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x0243ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02440000 | 0x024a5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000024c0000 | 0x024c0000 | 0x02733fff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x02740000 | 0x027fffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0290ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002910000 | 0x02910000 | 0x0390ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| scan92~1.js | 0x03910000 | 0x03a49fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003910000 | 0x03910000 | 0x039effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000039f0000 | 0x039f0000 | 0x03aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003af0000 | 0x03af0000 | 0x03beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003bf0000 | 0x03bf0000 | 0x03e63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003e70000 | 0x03e70000 | 0x040e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003e70000 | 0x03e70000 | 0x0421ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004220000 | 0x04220000 | 0x0441ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x0481ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x04d03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x0504ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0515ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x0534ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x05294fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x0525ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x0534ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x055affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0544ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005530000 | 0x05530000 | 0x055affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000055b0000 | 0x055b0000 | 0x059affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000059b0000 | 0x059b0000 | 0x05c18fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005c20000 | 0x05c20000 | 0x05e88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005e90000 | 0x05e90000 | 0x0608ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006110000 | 0x06110000 | 0x0620ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000006210000 | 0x06210000 | 0x06602fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| kernel32.dll | 0x77a30000 | 0x77b4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77b50000 | 0x77c49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c50000 | 0x77df8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| cscript.exe | 0xffc00000 | 0xffc28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshom.ocx | 0x7fef3350000 | 0x7fef3377fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x7fef3380000 | 0x7fef3553fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msado15.dll | 0x7fef3560000 | 0x7fef36cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| jscript.dll | 0x7fef36d0000 | 0x7fef37b2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fef37c0000 | 0x7fef385ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msdart.dll | 0x7fef3870000 | 0x7fef3897fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scrrun.dll | 0x7fef38a0000 | 0x7fef38d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scrobj.dll | 0x7fef4100000 | 0x7fef413bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshext.dll | 0x7fef42f0000 | 0x7fef430cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msisip.dll | 0x7fef8390000 | 0x7fef839afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7fefaaa0000 | 0x7fefaab7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7fefc090000 | 0x7fefc0a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefc4c0000 | 0x7fefc515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7fefc520000 | 0x7fefc64bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefc670000 | 0x7fefc863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7fefcb60000 | 0x7fefcb8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefcd60000 | 0x7fefcd6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefd190000 | 0x7fefd1d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefd490000 | 0x7fefd4a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7fefda60000 | 0x7fefda84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefda90000 | 0x7fefda9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x7fefdaa0000 | 0x7fefdb30fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb80000 | 0x7fefdb93fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefdba0000 | 0x7fefdbaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7fefdc40000 | 0x7fefdc4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wintrust.dll | 0x7fefdc50000 | 0x7fefdc89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefdc90000 | 0x7fefdca9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7fefdcb0000 | 0x7fefde16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefde20000 | 0x7fefde55fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefde60000 | 0x7fefdecafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefdf70000 | 0x7fefe172fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefe180000 | 0x7fefef07fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7fefef10000 | 0x7fefefa8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefefb0000 | 0x7feff0dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7feff0e0000 | 0x7feff209fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7feff210000 | 0x7feff2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7feff2b0000 | 0x7feff38afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7feff390000 | 0x7feff3aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7feff3b0000 | 0x7feff3bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7feff3c0000 | 0x7feff3edfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7feff3f0000 | 0x7feff648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x7feff730000 | 0x7feff781fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x7feff790000 | 0x7feff907fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7feff910000 | 0x7feff976fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7feff980000 | 0x7feff9f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7feffa00000 | 0x7feffb08fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7feffb10000 | 0x7feffbe6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7feffdd0000 | 0x7feffe66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7feffe90000 | 0x7fefff58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7fefff70000 | 0x7fefff70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 3 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 924.00 KB |
MD5:
f6cb9cb7189e5b3311511a09bf49bc60
SHA1: 70c3264ed1ffd592e278bf27a3d255eab895f40d SHA256: 1730ee105ce0df308f6b0fa8b0ee508ad863210a124627bd6e246502ce88ef3a |
|
|
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | F414C260-6AC0-11CF-B6D1-00AA00BBBB58 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | ADODB.Stream | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 2933BF90-7B36-11D2-B20E-00C04F983E60 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5P5NRG~1\Desktop\SCAN92~1.JS | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | - |
|
1 | |
| Get Info | C:\Users\5P5NRG~1\Desktop\SCAN92~1.JS | type = size |
|
1 | |
| Get Info | C:\Users\5P5NRG~1\Desktop\SCAN92~1.JS | type = size |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Read | C:\Users\5P5NRG~1\Desktop\SCAN92~1.JS | size = 1284222, size_out = 1284222 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 108 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | size = 946176 |
|
1 |
Registry (30)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\.JS | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\JSFile\ScriptEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 32, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 32, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 32, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 32, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.JS | data = JSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\JSFile\ScriptEngine | data = JScript, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (31)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x77a30000 |
|
2 | |
| Load | ADVAPI32.dll | base_address = 0x7feff2b0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7fefdf70000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x7feff2b0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7fefe180000 |
|
1 | |
| Get Handle | c:\windows\system32\cscript.exe | base_address = 0xffc00000 |
|
2 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7fefdf70000 |
|
2 | |
| Get Filename | c:\windows\system32\cscript.exe | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77a46d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x77a4c4a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegisterTraceGuidsA, address_out = 0x77c6f570 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7feff2cb5f0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7feff2cc480 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7feff2d0710 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetObjectContext, address_out = 0x7fefdf8c920 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7fefdf97490 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x7feff2ce470 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x7feff2cf9b0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x7feff2cf660 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x7fefdf8a4c4 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetClassObject, address_out = 0x7fefdfa2e18 |
|
1 | |
| Get Address | c:\windows\system32\cscript.exe | function = 1, address_out = 0xffc01a60 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteExW, address_out = 0x7fefe1a7c70 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = UnregisterTraceGuids, address_out = 0x77c73c80 |
|
1 | |
| Create Mapping | C:\Users\5P5NRG~1\Desktop\SCAN92~1.JS | filename = C:\Users\5P5NRG~1\Desktop\SCAN92~1.JS, protection = PAGE_READONLY, maximum_size = 1284222 |
|
1 | |
| Map | C:\Users\5P5NRG~1\Desktop\SCAN92~1.JS | process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 5265680 |
|
1 |
System (24)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
2 | |
| Get Time | type = System Time, time = 2018-05-23 13:38:35 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 160103 |
|
1 | |
| Get Time | type = Ticks, time = 160712 |
|
1 | |
| Get Time | type = Ticks, time = 160790 |
|
2 | |
| Get Time | type = System Time, time = 2018-05-23 13:38:36 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 161476 |
|
1 | |
| Get Time | type = Ticks, time = 161632 |
|
1 | |
| Get Time | type = Ticks, time = 163348 |
|
1 | |
| Get Time | type = System Time, time = 2018-05-23 13:38:38 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 163520 |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 |
Process #2: hsbftstclaogdeeotf.exe
274
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe |
| Command Line | "C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:41 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae4 |
| Parent PID | 0xaa0 (c:\windows\system32\cscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE8
0x
0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| scrrun.dll | 0x00270000 | 0x00284fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00291fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x002b0000 | 0x002b0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| msctf.dll.mui | 0x003d0000 | 0x003d0fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e5fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| hsbftstclaogdeeotf.exe | 0x00400000 | 0x004e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| locale.nls | 0x004f0000 | 0x00556fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x006e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x01c7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01dc0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x0223ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x02240000 | 0x0250efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x026bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002510000 | 0x02510000 | 0x025eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002680000 | 0x02680000 | 0x026bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x0286ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x02a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002a70000 | 0x02a70000 | 0x02e62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| staticcache.dat | 0x02e70000 | 0x0379ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000037a0000 | 0x037a0000 | 0x0779ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| msvbvm60.dll | 0x72940000 | 0x72a92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x752b0000 | 0x752c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x752d0000 | 0x7534ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x75360000 | 0x75367fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x75370000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x753d0000 | 0x7540efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x75640000 | 0x757ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x757e0000 | 0x757e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scrrun.dll | 0x757f0000 | 0x75819fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x75820000 | 0x7587efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75990000 | 0x759effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a30000 | 0x75a48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75bb0000 | 0x75bf5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75fd0000 | 0x760dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x760e0000 | 0x7617ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76180000 | 0x761d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x763c0000 | 0x763c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x763e0000 | 0x764dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x764e0000 | 0x7656efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76670000 | 0x7671bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76720000 | 0x767ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x76890000 | 0x76912fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x76920000 | 0x77569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x77570000 | 0x775cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x775d0000 | 0x776bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x776c0000 | 0x7781bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77820000 | 0x778affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x77990000 | 0x77a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000077a30000 | 0x77a30000 | 0x77b4efff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000077b50000 | 0x77b50000 | 0x77c49fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c50000 | 0x77df8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77e30000 | 0x77faffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | Scripting.FileSystemObject | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER |
|
1 |
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | - |
|
2 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | os_pid = 0xaf8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
Thread (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Resume | c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | os_tid = 0xae8 |
|
1 |
Memory (15)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x1a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 4096 |
|
1 | |
| Protect | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 331776 |
|
1 | |
| Read | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x401240, size = 8 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x400000, size = 331776 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x400000, size = 4096 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x400000, size = 1 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x404000, size = 315392 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x403000, size = 4096 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x402000, size = 4096 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x401000, size = 4096 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x1a01fc, size = 4 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x1a0200, size = 4 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x1a0204, size = 8 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x401240, size = 8 |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe | address = 0x1a0000, size = 38 |
|
1 |
Module (141)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | OLEAUT32.DLL | base_address = 0x764e0000 |
|
1 | |
| Load | SXS.DLL | base_address = 0x75820000 |
|
1 | |
| Load | msvbvm60 | base_address = 0x72940000 |
|
1 | |
| Load | gdi32 | base_address = 0x77820000 |
|
1 | |
| Load | user32 | base_address = 0x763e0000 |
|
2 | |
| Load | kernel32 | base_address = 0x75fd0000 |
|
19 | |
| Load | shell32 | base_address = 0x76920000 |
|
1 | |
| Load | ntdll | base_address = 0x77e30000 |
|
5 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75fd0000 |
|
2 | |
| Get Handle | c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x764e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x776c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x763e0000 |
|
1 | |
| Get Filename | - | process_name = c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe, size = 260 |
|
3 | |
| Get Filename | - | process_name = c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 |
|
3 | |
| Get Filename | c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | process_name = c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsTNT, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75fe5235 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = OleLoadPictureEx, address_out = 0x765470a1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = DispCallFunc, address_out = 0x764f3dcf |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = LoadTypeLibEx, address_out = 0x764f07b7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = UnRegisterTypeLib, address_out = 0x76511ca9 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = CreateTypeLib2, address_out = 0x764f8e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromUdate, address_out = 0x764f7684 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarUdateFromDate, address_out = 0x764fcc98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetAltMonthNames, address_out = 0x7652903a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNumFromParseNum, address_out = 0x764f6231 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarParseNumFromStr, address_out = 0x764f5fea |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR4, address_out = 0x76503f94 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR8, address_out = 0x76504e9e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromDate, address_out = 0x7652db72 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromI4, address_out = 0x76512a8c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromCy, address_out = 0x7652d737 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromDec, address_out = 0x7652e015 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromTypeInfo, address_out = 0x7652cc3d |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromGuids, address_out = 0x7652d1c4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetRecordInfo, address_out = 0x7652d48c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetRecordInfo, address_out = 0x7652d4c6 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetIID, address_out = 0x7652d509 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetIID, address_out = 0x764fe7bb |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCopyData, address_out = 0x764fe496 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayAllocDescriptorEx, address_out = 0x764fddf1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCreateEx, address_out = 0x7652d53f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormat, address_out = 0x76532055 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatDateTime, address_out = 0x765320ea |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatNumber, address_out = 0x76532151 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatPercent, address_out = 0x765321f5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatCurrency, address_out = 0x76532288 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarWeekdayName, address_out = 0x76532335 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMonthName, address_out = 0x765323d5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76505934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76505a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCat, address_out = 0x765059b4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7655e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarEqv, address_out = 0x7655ef07 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7655f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarImp, address_out = 0x7655ef47 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7655f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7655dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7655ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarPow, address_out = 0x7655ea66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7655d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7655ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAbs, address_out = 0x7655ca11 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFix, address_out = 0x7655cc5f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarInt, address_out = 0x7655cde7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7655c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7655ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarRound, address_out = 0x7655d155 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x764fb0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecAdd, address_out = 0x76515f3e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecCmp, address_out = 0x76504fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCat, address_out = 0x76500d2c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyMulI4, address_out = 0x765159ed |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCmp, address_out = 0x764ef8b8 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x77709d4e |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x776d0782 |
|
1 | |
| Get Address | c:\windows\syswow64\sxs.dll | function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75867685 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x763f7d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromWindow, address_out = 0x76403150 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromRect, address_out = 0x7641e7a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromPoint, address_out = 0x76405281 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7640451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x76404413 |
|
1 | |
| Get Address | c:\windows\syswow64\msvbvm60.dll | function = GetMem8, address_out = 0x72a35e34 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EnumFontFamiliesW, address_out = 0x7784a780 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumWindows, address_out = 0x763fd1cf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75fe1856 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x75fe110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75fe10ff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x75fe1b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75fe11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x75ffd9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x76401218 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75fe1410 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x76933c71 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75fe1282 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75fe3f5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ffd802 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x760645bf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75fe103d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x75ffd4dc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x75fea315 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75fe196e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75fe3ed3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75fe5223 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtAllocateVirtualMemory, address_out = 0x77e4fab0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtWriteVirtualMemory, address_out = 0x77e4fe04 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtTerminateThread, address_out = 0x77e50074 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtOpenEvent, address_out = 0x77e4fe98 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadProcessMemory, address_out = 0x75ffcfcc |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtResumeThread, address_out = 0x77e50058 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x75ff174d |
|
1 |
Window (28)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderRT6Main, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = VBMsoStdCompMgr, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = VBFocusRT6, wndproc_parameter = 0 |
|
1 | |
| Create | Ghostscript | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | Arachnactis6 | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | Astrakhan7 | wndproc_parameter = 0 |
|
1 | |
| Create | Jewelry | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | Traveler8 | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | Roxiu | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | Zenu6 | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = VBMsoStdCompMgr, index = 0, new_long = 40378524 |
|
1 | |
| Set Attribute | - | index = 18446744073709551612, new_long = 1922993716 |
|
1 | |
| Set Attribute | - | index = 18446744073709551595, new_long = 40490428 |
|
2 | |
| Set Attribute | - | index = 18446744073709551612, new_long = 1922992973 |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 |
System (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 33, y_out = 305 |
|
2 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
4 | |
| Sleep | duration = 2000 milliseconds (2.000 seconds) |
|
1 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 168512 |
|
1 | |
| Get Time | type = Ticks, time = 170524 |
|
1 | |
| Register Hook | type = WH_MSGFILTER, hookproc_address = 0x729a1e09 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | - |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #3: hsbftstclaogdeeotf.exe
1381
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe |
| Command Line | "C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:26, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaf8 |
| Parent PID | 0xae4 (c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AFC
0x
0
0x
B00
0x
B04
0x
B08
0x
B94
0x
B9C
0x
BA0
0x
BA8
0x
BAC
0x
BB4
0x
BB8
0x
BC0
0x
BCC
0x
BD0
0x
BD4
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0003efff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | Readable |
|
|
|
- |
| imm32.dll | 0x00220000 | 0x0023dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00342fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00342fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| hsbftstclaogdeeotf.exe | 0x00400000 | 0x004e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x00437fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| l_intl.nls | 0x004e0000 | 0x004e2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00581fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00857fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x01deffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01f1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01dfffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000001e00000 | 0x01e00000 | 0x01edefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x01f1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x0201ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x02020000 | 0x022eefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x042effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000042f0000 | 0x042f0000 | 0x043effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000043f0000 | 0x043f0000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000043f0000 | 0x043f0000 | 0x0442ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004430000 | 0x04430000 | 0x04436fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04441fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x0445ffff | Private Memory | - |
|
|
|
- |
| rsaenh.dll | 0x04460000 | 0x0449bfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0446ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sorttbls.nlp | 0x04460000 | 0x04464fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x0447ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortkey.nlp | 0x04470000 | 0x044b0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004480000 | 0x04480000 | 0x0448ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x0449ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000044c0000 | 0x044c0000 | 0x044c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004650000 | 0x04650000 | 0x04a42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04b8ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b8ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04c9ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000004ca0000 | 0x04ca0000 | 0x04ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| mscorrc.dll | 0x04ca0000 | 0x04cf3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d04fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| tzres.dll | 0x04f90000 | 0x04f90fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x04f92fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004fa0000 | 0x04fa0000 | 0x04fb8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| diasymreader.dll | 0x5e3a0000 | 0x5e42cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| culture.dll | 0x60340000 | 0x60347fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.windows.forms.dll | 0x71a70000 | 0x71f3dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.windows.forms.ni.dll | 0x71f40000 | 0x72b1dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x72b20000 | 0x732bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x732c0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorwks.dll | 0x73dc0000 | 0x7436afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x74930000 | 0x74acafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x752b0000 | 0x752c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x752d0000 | 0x7534ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x75350000 | 0x75352fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x75360000 | 0x75367fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x75370000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x753d0000 | 0x7540efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shfolder.dll | 0x75470000 | 0x75474fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x75480000 | 0x75496fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x754a0000 | 0x754dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x754e0000 | 0x754f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorjit.dll | 0x75500000 | 0x7555afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.drawing.ni.dll | 0x75560000 | 0x756e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x756f0000 | 0x756fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr80.dll | 0x75700000 | 0x7579afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x757a0000 | 0x757a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x757b0000 | 0x75827fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x75830000 | 0x75879fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75990000 | 0x759effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a30000 | 0x75a48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75bb0000 | 0x75bf5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75fd0000 | 0x760dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x760e0000 | 0x7617ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76180000 | 0x761d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x763c0000 | 0x763c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x763e0000 | 0x764dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x764e0000 | 0x7656efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76670000 | 0x7671bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76720000 | 0x767ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x76920000 | 0x77569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x77570000 | 0x775cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x775d0000 | 0x776bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x776c0000 | 0x7781bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77820000 | 0x778affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x77990000 | 0x77a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000077a30000 | 0x77a30000 | 0x77b4efff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000077b50000 | 0x77b50000 | 0x77c49fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c50000 | 0x77df8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77e30000 | 0x77faffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ef44000 | 0x7ef44000 | 0x7ef46fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef47000 | 0x7ef47000 | 0x7ef49fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef4a000 | 0x7ef4a000 | 0x7ef4cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef4d000 | 0x7ef4d000 | 0x7ef4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef50000 | 0x7ef50000 | 0x7ef5ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ef60000 | 0x7ef60000 | 0x7efaffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 30 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x400000, size = 331776 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x400000, size = 4096 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x400000, size = 1 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x404000, size = 315392 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x403000, size = 4096 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x402000, size = 4096 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x401000, size = 4096 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x1a01fc, size = 4 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x1a0200, size = 4 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x1a0204, size = 8 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x401240, size = 8 |
|
1 | |
| Modify Memory | #2: c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | 0xae8 | address = 0x1a0000, size = 38 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\program files (x86)\imap service\imapsv.exe | 924.00 KB |
MD5:
f6cb9cb7189e5b3311511a09bf49bc60
SHA1: 70c3264ed1ffd592e278bf27a3d255eab895f40d SHA256: 1730ee105ce0df308f6b0fa8b0ee508ad863210a124627bd6e246502ce88ef3a |
|
|
| c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\0303d5b4-ffe9-470e-9dd8-7d9ec416e53f\run.dat | 0.01 KB |
MD5:
f8515e5af248bb586dc0076394d3e1f1
SHA1: 1390d19ffdb556b1902774c7b815eb710f0166a3 SHA256: 5c7bddde92eb51c5fbd7be4899b490b648af98bf78442a64430b2fc5e052df97 |
|
|
| c:\program files (x86)\imap service\imapsv.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\tmp4ef.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\tmpd88.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\0303d5b4-ffe9-470e-9dd8-7d9ec416e53f\task.dat | 0.07 KB |
MD5:
e158eaad635b1f58020f876361f528e6
SHA1: ffa5c8dbf3986c39fc0a75e3ac167151a4b5093b SHA256: ef700c5e55f6738cfd53390b4cb1c153fc5283d5b38da2cd84d5662b496e479e |
|
|
| c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\tmpd88.tmp | 1.28 KB |
MD5:
266ebd097e1267e63a5abfc1dededae8
SHA1: b619bdaa65cbb17c86da3744e566e6a66c7057b4 SHA256: b3689f65cd1048f673cda43b0f93ffddb45bc67da94a62335b7c75ba0f0b2852 |
|
|
Host Behavior
File (68)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\run.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\task.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F | - |
|
1 | |
| Create Directory | C:\Program Files (x86)\IMAP Service | - |
|
1 | |
| Create Directory | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\Logs | - |
|
1 | |
| Create Directory | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\Logs\5p5NrGJn0jS HALPmcxz | - |
|
1 | |
| Create Temp File | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp | path = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\, prefix = tmp |
|
1 | |
| Create Temp File | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | path = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\, prefix = tmp |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz | type = file_attributes |
|
2 | |
| Get Info | C:\Users | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\run.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\run.dat | type = file_type |
|
2 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\Exceptions\1.2.2.0 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\IMAP Service | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86) | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\IMAP Service\imapsv.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\task.dat | type = file_type |
|
2 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\catalog.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\storage.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\settings.bin | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\settings.bak | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\Logs\5p5NrGJn0jS HALPmcxz | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\Logs | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Copy | C:\Program Files (x86)\IMAP Service\imapsv.exe | source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 237 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\run.dat | size = 8 |
|
1 | |
| Write | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\task.dat | size = 71 |
|
1 | |
| Write | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | size = 1309 |
|
1 | |
| Delete | C:\Program Files (x86)\IMAP Service\imapsv.exe | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0303D5B4-FFE9-470E-9DD8-7D9EC416E53F\IMAP Service\imapsv.exe | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe:Zone.Identifier | - |
|
1 |
Registry (31)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography | value_name = MachineGuid, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography | value_name = MachineGuid, data = 0303d5b4-ffe9-470e-9dd8-7d9ec416e53f, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | value_name = IMAP Service, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = IMAP Service, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Write Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | value_name = IMAP Service, data = C:\Program Files (x86)\IMAP Service\imapsv.exe, size = 94, type = REG_SZ |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "schtasks.exe" /create /f /tn "IMAP Service" /xml "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp" | os_pid = 0xb60, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "schtasks.exe" /create /f /tn "IMAP Service Task" /xml "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp" | os_pid = 0xb78, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Module (132)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x75fd0000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x76920000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x764e0000 |
|
1 | |
| Load | mscoree.dll | base_address = 0x75830000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x760e0000 |
|
1 | |
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x0 |
|
2 | |
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x75350000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x0 |
|
4 | |
| Load | kernel32 | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x75fd0000 |
|
2 | |
| Load | advapi32 | base_address = 0x0 |
|
1 | |
| Load | advapi32 | base_address = 0x760e0000 |
|
1 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x0 |
|
2 | |
| Get Handle | c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe | base_address = 0x400000 |
|
9 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x763e0000 |
|
1 | |
| Get Filename | - | process_name = c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe, file_name_orig = , size = 260 |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe, size = 260 |
|
4 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75fe1856 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75fe1916 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75fe168c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnmapViewOfFile, address_out = 0x75fe1826 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75fe11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75fe5223 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77e69d35 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75fe2d3c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77e645f5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75fe7a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageA, address_out = 0x76005fbd |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RaiseException, address_out = 0x75fe58a6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75fe186e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75fe3f5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x76007aca |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75ffc807 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75fe1410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x7606454f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75fe1328 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x76087bff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75fe1282 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75fe469b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75fe1946 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75fe4a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x7600d1d4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77e522b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77e52270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75fe5235 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x7600772f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75fe87c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75fe4d40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75fe34b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75fe1725 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75fe11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75fe1450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75fe3509 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeSListHead, address_out = 0x77e694a4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75fe1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ffd802 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77e70fcb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75fe4950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedFlushSList, address_out = 0x77e62775 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75fe11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x7600d1c3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75fe49ad |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75fe11e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75fe14fb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75fe3587 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibrary, address_out = 0x75fe34c8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75fe1222 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75fe495d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75fe192e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75fe4a6f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75fe170d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75fe14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e5e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75fe179c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75fe17b9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75fe51b3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75fe3531 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77e63002 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77e71f6e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75fe4493 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7600d1a1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75fe5189 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75fe51e3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75fe51cb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75fe14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineA, address_out = 0x75fe51a1 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = CommandLineToArgvW, address_out = 0x76939ee8 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 23, address_out = 0x764fe336 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 16, address_out = 0x764fdeeb |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 8, address_out = 0x764e3ed5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 2, address_out = 0x764e4642 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 26, address_out = 0x764fe9b7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 24, address_out = 0x764fe365 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 15, address_out = 0x764fe263 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 411, address_out = 0x764fe5fa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 9, address_out = 0x764e3eae |
|
1 | |
| Get Address | c:\windows\syswow64\mscoree.dll | function = CorBindToRuntimeEx, address_out = 0x75847b55 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SystemFunction036, address_out = 0x760e1919 |
|
1 | |
| Get Address | c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll | function = InitializeCriticalSectionEx, address_out = 0x0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75fe4f2b |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75fe4208 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventRegister, address_out = 0x77e6f6ba |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventSetInformation, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75fe1252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x760647f1 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcW, address_out = 0x77e625dd |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 126976 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | - | process_name = c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Window (17)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | .NET-BroadcastEventWindow.2.0.0.0.378734a.0 | class_name = .NET-BroadcastEventWindow.2.0.0.0.378734a.0, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 2011571677 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 5866706 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 2011571677 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 5866754 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 2011571677 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 5867210 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551608, new_long = 393516 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551608, new_long = 393516 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551600, new_long = 583991296 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551596, new_long = 65536 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 2011571677 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 5867386 |
|
1 |
Keyboard (279)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 1888, result_out = 67699721 |
|
140 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 1384, result_out = 67699721 |
|
139 |
System (816)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = XDUWTFONO |
|
1 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
526 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-05-23 13:38:46 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
7 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
279 |
Mutex (14)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\{70e0240c-77de-4f81-ac5c-cb838d2319d3} |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #4: schtasks.exe
19
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | "schtasks.exe" /create /f /tn "IMAP Service" /xml "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb60 |
| Parent PID | 0xaf8 (c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B64
0x
B74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| schtasks.exe.mui | 0x000f0000 | 0x00101fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00180fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x002aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x008f0000 | 0x00bbefff | Memory Mapped File | Readable |
|
|
|
- |
| schtasks.exe | 0x00c20000 | 0x00c4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x0204ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002050000 | 0x02050000 | 0x0220ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x0212ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x0220ffff | Private Memory | Readable, Writable |
|
|
|
- |
| taskschd.dll | 0x748b0000 | 0x7492cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x752d0000 | 0x7534ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x75360000 | 0x75367fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x75370000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x753d0000 | 0x7540efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ktmw32.dll | 0x75440000 | 0x75448fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x757a0000 | 0x757a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75990000 | 0x759effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a30000 | 0x75a48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75bb0000 | 0x75bf5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75fd0000 | 0x760dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x760e0000 | 0x7617ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76180000 | 0x761d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x763c0000 | 0x763c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x763e0000 | 0x764dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x764e0000 | 0x7656efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76670000 | 0x7671bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76720000 | 0x767ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x76890000 | 0x76912fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x77570000 | 0x775cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x775d0000 | 0x776bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x776c0000 | 0x7781bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77820000 | 0x778affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x77990000 | 0x77a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000077a30000 | 0x77a30000 | 0x77b4efff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000077b50000 | 0x77b50000 | 0x77c49fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c50000 | 0x77df8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77e30000 | 0x77faffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, user = 1986501854, domain = 2, password = 120 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 |
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp | type = size, size_out = 1334 |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Read | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp | size = 2, size_out = 2 |
|
1 | |
| Read | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmp4EF.tmp | size = 1335, size_out = 1334 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 |
Module (7)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x757a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0xc20000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x757a19d9 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x757a19f4 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x757a1b51 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-05-23 13:39:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 198526 |
|
1 |
Process #5: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {05965D02-66FE-4C30-84EF-49C2DFC0C57D} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:56, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:03:51, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5c8 |
| Parent PID | 0x360 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
85C
0x
514
0x
64C
0x
5E0
0x
5D4
0x
5CC
|
Process #6: schtasks.exe
19
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | "schtasks.exe" /create /f /tn "IMAP Service Task" /xml "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb78 |
| Parent PID | 0xaf8 (c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B7C
0x
B90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| schtasks.exe.mui | 0x00080000 | 0x00091fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x004cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| schtasks.exe | 0x00a90000 | 0x00abdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x01ebffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01ec0000 | 0x0218efff | Memory Mapped File | Readable |
|
|
|
- |
| taskschd.dll | 0x748b0000 | 0x7492cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x752d0000 | 0x7534ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x75360000 | 0x75367fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x75370000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x753d0000 | 0x7540efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ktmw32.dll | 0x75440000 | 0x75448fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x757a0000 | 0x757a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75990000 | 0x759effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a30000 | 0x75a48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75bb0000 | 0x75bf5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75fd0000 | 0x760dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x760e0000 | 0x7617ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76180000 | 0x761d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x763c0000 | 0x763c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x763e0000 | 0x764dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x764e0000 | 0x7656efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76670000 | 0x7671bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76720000 | 0x767ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x76890000 | 0x76912fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x77570000 | 0x775cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x775d0000 | 0x776bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x776c0000 | 0x7781bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77820000 | 0x778affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x77990000 | 0x77a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000077a30000 | 0x77a30000 | 0x77b4efff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000077b50000 | 0x77b50000 | 0x77c49fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c50000 | 0x77df8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77e30000 | 0x77faffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, user = 1986501854, domain = 2, password = 120 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 |
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | type = size, size_out = 1309 |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Read | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | size = 2, size_out = 2 |
|
1 | |
| Read | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpD88.tmp | size = 1310, size_out = 1309 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 |
Module (7)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x757a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0xa90000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x757a19d9 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x757a19f4 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x757a1b51 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-05-23 13:39:17 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 202520 |
|
1 |
