6ec6c457f112de97ece2f7b9c654ffe165ee1fa6bee52f0575dad1426c552a18 (SHA256)
DriverPack-17-Online.exe
Windows Exe (x86-32)
Created at 2018-11-07 11:27:00
Notifications (2/2)
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
The overall sleep time of all monitored processes was truncated from "10 minutes" to "10 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: driverpack-17-online.exe
1021
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:11, Reason: Analysis Target |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe80 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E84
0x
E88
0x
E90
0x
E9C
0x
EA0
0x
EA4
0x
EB0
0x
EB4
0x
EB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00223fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00243fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | rw |
|
|
|
- |
| user32.dll.mui | 0x00270000 | 0x00274fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00382fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00390000 | 0x00393fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x003a0000 | 0x003a3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0x003b0000 | 0x003b3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| driverpack-17-online.exe | 0x00400000 | 0x0047dfff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00716fff | Pagefile Backed Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0x00700000 | 0x00710fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00957fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x01eeffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01ef0000 | 0x02226fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0232ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0242ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0236ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x023f0000 | 0x02402fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002430000 | 0x02430000 | 0x02921fff | Pagefile Backed Memory | rw |
|
|
|
- |
| staticcache.dat | 0x02930000 | 0x0396ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003970000 | 0x03970000 | 0x03a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003970000 | 0x03970000 | 0x03a7efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a70000 | 0x03a70000 | 0x03b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a80000 | 0x03a80000 | 0x03b87fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b90000 | 0x03b90000 | 0x03d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d90000 | 0x03d90000 | 0x03e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e90000 | 0x03e90000 | 0x03ecffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x03e90000 | 0x03ed2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003ed0000 | 0x03ed0000 | 0x03fcffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x03ee0000 | 0x03f6afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003fd0000 | 0x03fd0000 | 0x0400ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004010000 | 0x04010000 | 0x0410ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004110000 | 0x04110000 | 0x0414ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004150000 | 0x04150000 | 0x0424ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004250000 | 0x04250000 | 0x042cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x0434ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x043cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x0440ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0444ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73dc0000 | 0x74080fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74090000 | 0x741effff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x741f0000 | 0x743f6fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74470000 | 0x745b1fff | Memory Mapped File | rwx |
|
|
|
- |
| explorerframe.dll | 0x745c0000 | 0x749e9fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x749f0000 | 0x74bf8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fb10000 | 0x7fe9ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\DriverPack.exe | 87.39 KB |
MD5:
a3049526a7d9454284e2ab05ce1abbdb
SHA1: 8f1324beaf121a9dc15acb9c3209002369ca5825 SHA256: a7b1eba1d21f2dcc135f8d7777ea41455b79ee5a9aa91fdaba9c9a54b40d5c82 SSDeep: 1536:tTgSFOJu2aF0gqqcZudzc+d4iBTiE9M3m/LifgiciTjDiciTG:2Zu2Vgc0B4iBTiEhELTjuTG |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js | 103.27 KB |
MD5:
8fbe14f6609e23d70fec65d80672dd62
SHA1: cd5b7568741bbd435ac176e5946c11783fe5285a SHA256: a388137c9f955b7b66387d548fb6e2f1d3710e50101d1b40dbff6cb626667ef6 SSDeep: 1536:z4Z6+CHpflbWFkVUq4KGkaDA25Pjv8LturXQfpyA:zEJq+XqCN8qARyA |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\run.hta | 25.86 KB |
MD5:
d9186d785f70b10a19cd342ea826a50a
SHA1: 79d76eb0df960ba3ebcfd69dd125a67ff291d39e SHA256: f3b94c2bf74c3af488ef88c3e8e07dd093d686274dcb74ea8cead7faa135a34c SSDeep: 768:yJZifV+pGNG4GgGtGfRyFOwlDvVtX6lL+F:UnmRyF/t |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\config.js | 3.01 KB |
MD5:
4d42e302df881d1a477854e23bcee21b
SHA1: 0a7c3fba5da57e76f5c0049b9fb33f8d81f9bcce SHA256: 1edac75e51c2988150ed3064d598a902bbfa67a9920b8d8f9e5981bdb8146e8a SSDeep: 48:113cTEvEvDanYlbd5E6E3MFk1UIzu4UI0OU6FAg7sbZvYAm0R:oEvEv+nYFde6E3bOhrF6Fv78ZvY0 |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-step2.png | 1.83 KB |
MD5:
8bff39ae83783ccacb7175347102549a
SHA1: aa69e573803c07ebeecc502f2a6d3f0e07250d51 SHA256: 9a940e08c97cdb82c181a98ee99e1c145ac96ba9061d25f9075dfaab5727bd75 SSDeep: 48:FLWfEJxIYprz4BZf53RVjq0AG2Mwg1XiM2:FixKX4BR5Btq0CHgtiM2 |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-connection.png | 4.86 KB |
MD5:
a43605b4ab97297a27ac68b3747e61fb
SHA1: a9143208894c6a667ce121bd13f57f2f3bf53da3 SHA256: 677b6ae48b0a71e404d57534f943ef323c41e58212f55d81f96321664aac440c SSDeep: 96:bIiPrrROxMhn1PuHZqlBwrlDGJuS29SwWzh4DKiPCvaI7QeGf7cl:sp6hn1G5qmS47vDKiPCn7af7cl |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-step1.png | 2.11 KB |
MD5:
fedbae40f618a1315dbca54071708013
SHA1: 554b12fc2b3b1e09813dc2a8f112d68b1e3e0a65 SHA256: 018e28f327c21d124bd38dc6c7d80bf8b3a1e61cdd533c31f57f8685f90cb0fb SSDeep: 48:FWuUbbbbbb91pDdSbnqGNb1X7KcG41cVlC7ov0QwrgrN8+mRhGcsue7wO+6DBp:FTUbbbbbbHpDQbDNbzci8vRwrgrN8+FD |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\drp.css | 7.55 KB |
MD5:
01f85f0befdc6323d64256084071af07
SHA1: bcf213270194c78786cbb3e7e2af69e7e2d6e3c9 SHA256: d10e64e0e7ba0f31de9ede9cad3a4df2f1049c0843592b8720f8efe81211107a SSDeep: 96:QhSYczWTXqpD1ildRMRflzmexqmOTNXVtzd7ESzBWx5RsqNhGl:Qf8W+p7lmex5OTN6QBmwqNho |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | 5.21 KB |
MD5:
9297860413f4cc8b0c933650aaed46be
SHA1: 4d243560a8425e6a7af72285db55d09d9e50bdf1 SHA256: c21a2dab523467d5fcfa8a9ce83a8284a6e9256139a0d8d8f82d39aa87b368d0 SSDeep: 96:P13+jemjxX+2g1vPOMoV+HRSIegfFWH/1AIju5h3ukf8E:P9gI0huGWukf8E |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\loading.gif | 18.66 KB |
MD5:
a90e737d05ebfa82bf96168def807c36
SHA1: ddc76a0c64ebefe5b9a12546c59a37c03d5d1f5b SHA256: 24ed9db3eb0d97ecf1f0832cbd30bd37744e0d2b520ccdad5af60f7a08a45b90 SSDeep: 384:hfnVYmHzbomdWi6KS1LaRZUvgzjcoZkrzxV3HW5qQUNTVa8KQBJOb:hv+mHzzUi6KGgUSjTZkrlV3HW51UNTVC |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header\header-logo.png | 2.30 KB |
MD5:
30b1427e1898d584fbf4347e65e522bb
SHA1: 4f954a8698c9b193f7d62635d13dbf85f0fb892e SHA256: dc34c8bba856ee83f3bdda4a46898f86c553e59c71c3401400266293d2ead2d4 SSDeep: 48:OccLAmgGBzqEs6115Z/rEsssV24f22tNs9YSSqgmD77:8+Ghqz6H5Z/rEPsVvfghS+77 |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header\close.png | 0.16 KB |
MD5:
ca0cfac0c0d1d639273167e6a6a9a477
SHA1: 8b4b60d7603e69be5c03baa6844ab9703497ecb1 SHA256: 4873d5617c63cac4b820c6d199be36d111dba358b5f357455e33afa74040555e SSDeep: 3:yionv//thPl3xWr5cjABBrXnayOfo6/PeRsPaV4g1p:6v/lhPK1c6B7aDo6+Rzp |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\screens\new-logo.png | 11.85 KB |
MD5:
3878a76a6b6724b2f7847e13cce4b320
SHA1: 96a39b7ea48a99d09f6ea65f911bb696c3900603 SHA256: 78d8a5c194abf73d655126c8cd09fba5ca4b46f3773667e8a55d3b6f24d85697 SSDeep: 192:0udgTXU8CM/aKyfbHHJ0CsUbXDif378kSmZSwoe8oXtVVrtQOMcqml:0ecBITHGzUvifr8JBe8oXjVRjfqC |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\init.cmd | 0.83 KB |
MD5:
2d07f324a539ade610cd86f3788db114
SHA1: c898927fe8eddab9997daefe21241ed211221676 SHA256: 20692738398af39ee4c65eda97b70f65466baaccd1c12eefc26e632f505b68a5 SSDeep: 24:n99X55J8k/MuJeU8/CMl9c7Bzj7QvIccRM2uQcL:DXXJ8kEuJeUMLle7Bzj7QvIccRhuQcL |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\Icon.ico | 24.62 KB |
MD5:
733d67c2e70bc804cd9497d20fe96696
SHA1: 3ec7c1330af77d2684a88e87642cdec98136f424 SHA256: 0a3edd3d1fd9ae649d0d6164858705017dc482ce56d090a478f57d02619e88ce SSDeep: 384:1MrYEWMoMS8rTup9wNBhZ6cQ0mPHH0MT2QqN:1MrYTMI8Wp9wBZFm/LivN |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-complete.png | 1.63 KB |
MD5:
9317f902a1a6c30f7b7d2d6be2002803
SHA1: 0eb579bcc8fffbebfc8e21de3a470bd0ee8c0d7b SHA256: 196da0c1548eb42d823cf27f62dd25ba79b4e70cb858bba00bfdf23be385626b SSDeep: 24:FCp5MaXbbbbbbJAqUCBR9vtwcVbCRw41T+VixutzID1GYTt67laC58/azxbZI:FEjXbbbbbbJAqjBR9vAjT+3zYRilFi8I |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\onexit.cmd | 0.76 KB |
MD5:
898a4306c45f626e1f158596a7403ed6
SHA1: 0d3227c24082948485706649ebae9b9c01337702 SHA256: d686c59e90a1ae6053760f244a5a1ae01db4b18804b8958c8fa165b4eec7c6f3 SSDeep: 24:cL5Sg1HXNTm39pUX1tgu8ws0vHyM8v6dlXO7x2t:cUg1HdTepxYNvSMFdlXUx2t |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 56FDF344-FD6D-11D0-958A-006097C9A090 | EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
File (492)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\config.js | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\drp.css | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\Icon.ico | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header\close.png | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header\header-logo.png | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\loading.gif | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-complete.png | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-connection.png | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-step1.png | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-step2.png | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\screens\new-logo.png | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\init.cmd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\onexit.cmd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\run.hta | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\DriverPack.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000 | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000 | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\DRPcheckbox | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\DRPcheckbox | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\DRPicons | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\DRPicons | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\Open-Sans | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\Open-Sans | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\ProximaNova | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\ProximaNova | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\Roboto | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\Roboto | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\bugreport | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\bugreport | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\burger | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\burger | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\charms | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\charms | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\device-class | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\device-class | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\final | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\final | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\games | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\games | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\header | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\header | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\controls | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\controls | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\drivers | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\drivers | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\soft | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\soft | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\statuses | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\statuses | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\no_internet | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\no_internet | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\professional | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\professional | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\programs | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\programs | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\screens | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\screens | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\js | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\js | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\languages | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\languages | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\ico | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\ico | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\screens | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\screens | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\modules | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\modules | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\v2 | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\v2 | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\v2\alternative | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\v2\alternative | - |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\DRPcheckbox | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\DRPicons | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\Open-Sans | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\ProximaNova | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\Roboto | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\bugreport | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\burger | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\charms | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\device-class | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\final | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\games | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\header | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\controls | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\drivers | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\soft | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\installation\statuses | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\no_internet | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\professional | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\programs | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\img\screens | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\js | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\languages | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\ico | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\screens | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\modules | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\v2 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\v2\alternative | type = file_attributes |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 4079, size_out = 4079 |
|
119 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 4075, size_out = 4075 |
|
128 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 32, size_out = 32 |
|
3 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 32736, size_out = 32736 |
|
45 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 36, size_out = 36 |
|
3 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 812, size_out = 812 |
|
3 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 89221, size_out = 89221 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 81, size_out = 81 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 994, size_out = 994 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 581, size_out = 581 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe | size = 34235, size_out = 34235 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\config.js | size = 3086 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js | size = 105750 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\drp.css | size = 7728 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\Icon.ico | size = 25214 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header\close.png | size = 160 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header\header-logo.png | size = 2351 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\loading.gif | size = 19110 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-complete.png | size = 1666 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-connection.png | size = 4972 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-step1.png | size = 2157 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\no_internet\no_internet-step2.png | size = 1872 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\screens\new-logo.png | size = 12133 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\init.cmd | size = 852 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\onexit.cmd | size = 782 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | size = 5331 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\run.hta | size = 26480 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\DriverPack.exe | size = 89488 |
|
1 |
Process (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | wscript.exe | show_window = SW_SHOWNORMAL |
|
5 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\DriverPack.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (14)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32 | base_address = 0x75260000 |
|
1 | |
| Load | uxtheme | base_address = 0x74c20000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe | base_address = 0x400000 |
|
6 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe, size = 520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7527a410 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessPreferredUILanguages, address_out = 0x752a2640 |
|
1 | |
| Get Address | c:\windows\syswow64\uxtheme.dll | function = SetWindowTheme, address_out = 0x74c57f60 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = tooltips_class32, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | index = 18446744073709551595, new_long = 1702604 |
|
1 |
System (49)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
1 | |
| Sleep | duration = 20 milliseconds (0.020 seconds) |
|
3 | |
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:02 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:03 (UTC) |
|
36 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
3 |
Environment (366)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = SfxString3 |
|
2 | |
| Get Environment String | name = SfxString40 |
|
2 | |
| Get Environment String | name = SfxString2 |
|
2 | |
| Get Environment String | name = SfxString5 |
|
2 | |
| Get Environment String | name = SfxString21 |
|
2 | |
| Get Environment String | name = SfxString22 |
|
2 | |
| Get Environment String | name = SfxString23 |
|
2 | |
| Get Environment String | name = SfxString4 |
|
2 | |
| Get Environment String | name = SfxString1 |
|
1 | |
| Get Environment String | name = SfxString6 |
|
1 | |
| Get Environment String | name = SfxString7 |
|
1 | |
| Get Environment String | name = SfxString8 |
|
1 | |
| Get Environment String | name = SfxString9 |
|
1 | |
| Get Environment String | name = SfxString10 |
|
1 | |
| Get Environment String | name = SfxString11 |
|
1 | |
| Get Environment String | name = SfxString12 |
|
1 | |
| Get Environment String | name = SfxString13 |
|
1 | |
| Get Environment String | name = SfxString14 |
|
1 | |
| Get Environment String | name = SfxString15 |
|
1 | |
| Get Environment String | name = SfxString16 |
|
1 | |
| Get Environment String | name = SfxString17 |
|
1 | |
| Get Environment String | name = SfxString18 |
|
1 | |
| Get Environment String | name = SfxString19 |
|
1 | |
| Get Environment String | name = SfxString20 |
|
1 | |
| Get Environment String | name = SfxString33 |
|
1 | |
| Get Environment String | name = SfxString34 |
|
1 | |
| Get Environment String | name = SfxString24 |
|
1 | |
| Get Environment String | name = SfxString25 |
|
1 | |
| Get Environment String | name = SfxString26 |
|
1 | |
| Get Environment String | name = SfxString27 |
|
1 | |
| Get Environment String | name = SfxString28 |
|
1 | |
| Get Environment String | name = SfxString29 |
|
1 | |
| Get Environment String | name = SfxString30 |
|
1 | |
| Get Environment String | name = SfxString31 |
|
1 | |
| Get Environment String | name = SfxString32 |
|
1 | |
| Get Environment String | name = SfxString35 |
|
1 | |
| Get Environment String | name = SfxString36 |
|
1 | |
| Get Environment String | name = SfxString37 |
|
1 | |
| Get Environment String | name = SfxString38 |
|
1 | |
| Get Environment String | name = SfxString39 |
|
1 | |
| Get Environment String | name = SfxString41 |
|
1 | |
| Get Environment String | name = SfxString42 |
|
1 | |
| Get Environment String | name = SfxString43 |
|
1 | |
| Get Environment String | name = SfxString44 |
|
3 | |
| Get Environment String | name = SfxString26 |
|
1 | |
| Get Environment String | name = SfxString26, result_out = Cancel |
|
1 | |
| Set Environment String | name = SfxFolder00, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = 7zSfxFolder00, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = SfxFolder02, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs |
|
2 | |
| Set Environment String | name = 7zSfxFolder02, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs |
|
2 | |
| Set Environment String | name = SfxFolder05, value = C:\Users\CIiHmnxMn6Ps\Documents |
|
2 | |
| Set Environment String | name = 7zSfxFolder05, value = C:\Users\CIiHmnxMn6Ps\Documents |
|
2 | |
| Set Environment String | name = MyDocuments, value = C:\Users\CIiHmnxMn6Ps\Documents |
|
2 | |
| Set Environment String | name = MyDocs, value = C:\Users\CIiHmnxMn6Ps\Documents |
|
2 | |
| Set Environment String | name = SfxFolder06, value = C:\Users\CIiHmnxMn6Ps\Favorites |
|
2 | |
| Set Environment String | name = 7zSfxFolder06, value = C:\Users\CIiHmnxMn6Ps\Favorites |
|
2 | |
| Set Environment String | name = SfxFolder07, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
|
2 | |
| Set Environment String | name = 7zSfxFolder07, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
|
2 | |
| Set Environment String | name = SfxFolder08, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent |
|
2 | |
| Set Environment String | name = 7zSfxFolder08, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent |
|
2 | |
| Set Environment String | name = SfxFolder09, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo |
|
2 | |
| Set Environment String | name = 7zSfxFolder09, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo |
|
2 | |
| Set Environment String | name = SfxFolder11, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu |
|
2 | |
| Set Environment String | name = 7zSfxFolder11, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu |
|
2 | |
| Set Environment String | name = SfxFolder13, value = C:\Users\CIiHmnxMn6Ps\Music |
|
2 | |
| Set Environment String | name = 7zSfxFolder13, value = C:\Users\CIiHmnxMn6Ps\Music |
|
2 | |
| Set Environment String | name = SfxFolder14, value = C:\Users\CIiHmnxMn6Ps\Videos |
|
2 | |
| Set Environment String | name = 7zSfxFolder14, value = C:\Users\CIiHmnxMn6Ps\Videos |
|
2 | |
| Set Environment String | name = SfxFolder16, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = 7zSfxFolder16, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = UserDesktop, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = SfxFolder19, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Network Shortcuts |
|
2 | |
| Set Environment String | name = 7zSfxFolder19, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Network Shortcuts |
|
2 | |
| Set Environment String | name = SfxFolder20, value = C:\Windows\Fonts |
|
2 | |
| Set Environment String | name = 7zSfxFolder20, value = C:\Windows\Fonts |
|
2 | |
| Set Environment String | name = SfxFolder21, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Templates |
|
2 | |
| Set Environment String | name = 7zSfxFolder21, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Templates |
|
2 | |
| Set Environment String | name = SfxFolder22, value = C:\ProgramData\Microsoft\Windows\Start Menu |
|
2 | |
| Set Environment String | name = 7zSfxFolder22, value = C:\ProgramData\Microsoft\Windows\Start Menu |
|
2 | |
| Set Environment String | name = SfxFolder23, value = C:\ProgramData\Microsoft\Windows\Start Menu\Programs |
|
2 | |
| Set Environment String | name = 7zSfxFolder23, value = C:\ProgramData\Microsoft\Windows\Start Menu\Programs |
|
2 | |
| Set Environment String | name = SfxFolder24, value = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup |
|
2 | |
| Set Environment String | name = 7zSfxFolder24, value = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup |
|
2 | |
| Set Environment String | name = SfxFolder25, value = C:\Users\Public\Desktop |
|
2 | |
| Set Environment String | name = 7zSfxFolder25, value = C:\Users\Public\Desktop |
|
2 | |
| Set Environment String | name = CommonDesktop, value = C:\Users\Public\Desktop |
|
2 | |
| Set Environment String | name = SfxFolder26, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming |
|
2 | |
| Set Environment String | name = 7zSfxFolder26, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming |
|
2 | |
| Set Environment String | name = SfxFolder27, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Printer Shortcuts |
|
2 | |
| Set Environment String | name = 7zSfxFolder27, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Printer Shortcuts |
|
2 | |
| Set Environment String | name = SfxFolder28, value = C:\Users\CIiHmnxMn6Ps\AppData\Local |
|
2 | |
| Set Environment String | name = 7zSfxFolder28, value = C:\Users\CIiHmnxMn6Ps\AppData\Local |
|
2 | |
| Set Environment String | name = SfxFolder29, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
|
2 | |
| Set Environment String | name = 7zSfxFolder29, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
|
2 | |
| Set Environment String | name = SfxFolder30, value = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup |
|
2 | |
| Set Environment String | name = 7zSfxFolder30, value = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup |
|
2 | |
| Set Environment String | name = SfxFolder31, value = C:\Users\CIiHmnxMn6Ps\Favorites |
|
2 | |
| Set Environment String | name = 7zSfxFolder31, value = C:\Users\CIiHmnxMn6Ps\Favorites |
|
2 | |
| Set Environment String | name = SfxFolder32, value = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache |
|
2 | |
| Set Environment String | name = 7zSfxFolder32, value = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache |
|
2 | |
| Set Environment String | name = SfxFolder33, value = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies |
|
2 | |
| Set Environment String | name = 7zSfxFolder33, value = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies |
|
2 | |
| Set Environment String | name = SfxFolder34, value = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History |
|
2 | |
| Set Environment String | name = 7zSfxFolder34, value = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History |
|
2 | |
| Set Environment String | name = SfxFolder35, value = C:\ProgramData |
|
2 | |
| Set Environment String | name = 7zSfxFolder35, value = C:\ProgramData |
|
2 | |
| Set Environment String | name = SfxFolder36, value = C:\Windows |
|
2 | |
| Set Environment String | name = 7zSfxFolder36, value = C:\Windows |
|
2 | |
| Set Environment String | name = SfxFolder37, value = C:\Windows\system32 |
|
2 | |
| Set Environment String | name = 7zSfxFolder37, value = C:\Windows\system32 |
|
2 | |
| Set Environment String | name = SfxFolder38, value = C:\Program Files (x86) |
|
2 | |
| Set Environment String | name = 7zSfxFolder38, value = C:\Program Files (x86) |
|
2 | |
| Set Environment String | name = SfxFolder39, value = C:\Users\CIiHmnxMn6Ps\Pictures |
|
2 | |
| Set Environment String | name = 7zSfxFolder39, value = C:\Users\CIiHmnxMn6Ps\Pictures |
|
2 | |
| Set Environment String | name = SfxFolder40, value = C:\Users\CIiHmnxMn6Ps |
|
2 | |
| Set Environment String | name = 7zSfxFolder40, value = C:\Users\CIiHmnxMn6Ps |
|
2 | |
| Set Environment String | name = SfxFolder41, value = C:\Windows\SysWOW64 |
|
2 | |
| Set Environment String | name = 7zSfxFolder41, value = C:\Windows\SysWOW64 |
|
2 | |
| Set Environment String | name = SfxFolder42, value = C:\Program Files (x86) |
|
2 | |
| Set Environment String | name = 7zSfxFolder42, value = C:\Program Files (x86) |
|
2 | |
| Set Environment String | name = SfxFolder43, value = C:\Program Files (x86)\Common Files |
|
2 | |
| Set Environment String | name = 7zSfxFolder43, value = C:\Program Files (x86)\Common Files |
|
2 | |
| Set Environment String | name = SfxFolder44, value = C:\Program Files (x86)\Common Files |
|
2 | |
| Set Environment String | name = 7zSfxFolder44, value = C:\Program Files (x86)\Common Files |
|
2 | |
| Set Environment String | name = SfxFolder45, value = C:\ProgramData\Microsoft\Windows\Templates |
|
2 | |
| Set Environment String | name = 7zSfxFolder45, value = C:\ProgramData\Microsoft\Windows\Templates |
|
2 | |
| Set Environment String | name = SfxFolder46, value = C:\Users\Public\Documents |
|
2 | |
| Set Environment String | name = 7zSfxFolder46, value = C:\Users\Public\Documents |
|
2 | |
| Set Environment String | name = CommonDocuments, value = C:\Users\Public\Documents |
|
2 | |
| Set Environment String | name = SfxFolder47, value = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools |
|
2 | |
| Set Environment String | name = 7zSfxFolder47, value = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools |
|
2 | |
| Set Environment String | name = SfxFolder48, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools |
|
2 | |
| Set Environment String | name = 7zSfxFolder48, value = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools |
|
2 | |
| Set Environment String | name = SfxFolder53, value = C:\Users\Public\Music |
|
2 | |
| Set Environment String | name = 7zSfxFolder53, value = C:\Users\Public\Music |
|
2 | |
| Set Environment String | name = SfxFolder54, value = C:\Users\Public\Pictures |
|
2 | |
| Set Environment String | name = 7zSfxFolder54, value = C:\Users\Public\Pictures |
|
2 | |
| Set Environment String | name = SfxFolder55, value = C:\Users\Public\Videos |
|
2 | |
| Set Environment String | name = 7zSfxFolder55, value = C:\Users\Public\Videos |
|
2 | |
| Set Environment String | name = SfxFolder56, value = C:\Windows\resources |
|
2 | |
| Set Environment String | name = 7zSfxFolder56, value = C:\Windows\resources |
|
2 | |
| Set Environment String | name = SfxFolder59, value = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\Burn\Burn |
|
2 | |
| Set Environment String | name = 7zSfxFolder59, value = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\Burn\Burn |
|
2 | |
| Set Environment String | name = SfxVarModulePlatform, value = x86 |
|
2 | |
| Set Environment String | name = 7zSfxVarModulePlatform, value = x86 |
|
2 | |
| Set Environment String | name = SfxVarSystemPlatform, value = x64 |
|
2 | |
| Set Environment String | name = 7zSfxVarSystemPlatform, value = x64 |
|
2 | |
| Set Environment String | name = SfxVarCmdLine0, value = "C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe" |
|
2 | |
| Set Environment String | name = 7zSfxVarCmdLine0, value = "C:\Users\CIiHmnxMn6Ps\Desktop\DriverPack-17-Online.exe" |
|
2 | |
| Set Environment String | name = SfxVarSystemLanguage, value = 1033 |
|
2 | |
| Set Environment String | name = 7zSfxVarSystemLanguage, value = 1033 |
|
2 | |
| Set Environment String | name = SfxString1, value = SFX module - Copyright (c) 2005-2016 Oleg Scherbakov 1.6.2 [x86] build 3888 (March 20, 2016) 7-Zip archiver - Copyright (c) 1999-2015 Igor Pavlov 15.14 (December 31, 2015) Supported methods and filters, build options: |
|
2 | |
| Set Environment String | name = SfxString2, value = 7z SFX |
|
2 | |
| Set Environment String | name = SfxString3, value = 7z SFX: error |
|
2 | |
| Set Environment String | name = SfxString4, value = : error |
|
2 | |
| Set Environment String | name = SfxString5, value = Extracting |
|
2 | |
| Set Environment String | name = SfxString6, value = Could not get SFX filename. |
|
2 | |
| Set Environment String | name = SfxString7, value = Could not open archive file "%s". |
|
2 | |
| Set Environment String | name = SfxString8, value = Non 7z archive. |
|
2 | |
| Set Environment String | name = SfxString9, value = Could not read SFX configuration or configuration not found. |
|
2 | |
| Set Environment String | name = SfxString10, value = Could not write SFX configuration. |
|
2 | |
| Set Environment String | name = SfxString11, value = Error in line %d of configuration data: %s |
|
2 | |
| Set Environment String | name = SfxString12, value = Could not create folder "%s". |
|
2 | |
| Set Environment String | name = SfxString13, value = Could not delete file or folder "%s". |
|
2 | |
| Set Environment String | name = SfxString14, value = Could not find command for "%s". |
|
2 | |
| Set Environment String | name = SfxString15, value = Could not find "setup.exe". |
|
2 | |
| Set Environment String | name = SfxString16, value = Error during execution "%s". |
|
2 | |
| Set Environment String | name = SfxString17, value = 7-Zip: Unsupported method. |
|
2 | |
| Set Environment String | name = SfxString18, value = 7-Zip: CRC error. |
|
2 | |
| Set Environment String | name = SfxString19, value = 7-Zip: Data error. The archive is corrupted, or invalid password was entered. |
|
2 | |
| Set Environment String | name = SfxString20, value = 7-Zip: Internal error, code %u. |
|
2 | |
| Set Environment String | name = SfxString33, value = 7-Zip: Internal error, code 0x%08X. |
|
2 | |
| Set Environment String | name = SfxString34, value = 7-Zip: Extraction error. |
|
2 | |
| Set Environment String | name = SfxString21, value = Extraction path |
|
2 | |
| Set Environment String | name = SfxString22, value = Extraction path: |
|
2 | |
| Set Environment String | name = SfxString23, value = Really cancel the installation? |
|
2 | |
| Set Environment String | name = SfxString24, value = No "HelpText" in the configuration file. |
|
2 | |
| Set Environment String | name = SfxString25, value = OK |
|
2 | |
| Set Environment String | name = SfxString26, value = Cancel |
|
2 | |
| Set Environment String | name = SfxString27, value = Yes |
|
2 | |
| Set Environment String | name = SfxString28, value = No |
|
2 | |
| Set Environment String | name = SfxString29, value = s |
|
2 | |
| Set Environment String | name = SfxString30, value = Could not create file "%s". |
|
2 | |
| Set Environment String | name = SfxString31, value = Could not overwrite file "%s". |
|
2 | |
| Set Environment String | name = SfxString32, value = Error in command line: %s |
|
2 | |
| Set Environment String | name = SfxString35, value = Back |
|
2 | |
| Set Environment String | name = SfxString36, value = Next |
|
2 | |
| Set Environment String | name = SfxString37, value = Finish |
|
2 | |
| Set Environment String | name = SfxString38, value = Cancel |
|
2 | |
| Set Environment String | name = SfxString39, value = Application error: Exception code: 0x%08x Address: 0x%08x Exception data: |
|
2 | |
| Set Environment String | name = SfxString40, value = 7z SFX: warning |
|
2 | |
| Set Environment String | name = SfxString41, value = : warning |
|
2 | |
| Set Environment String | name = SfxString42, value = Not enough free space for extracting. Do you want to continue? |
|
2 | |
| Set Environment String | name = SfxString43, value = Insufficient physical memory. Extracting may take a long time. Do you want to continue? |
|
2 | |
| Set Environment String | name = SfxString44, value = Enter password: |
|
2 | |
| Set Environment String | name = SfxVarCmdLine2 |
|
4 | |
| Set Environment String | name = 7zSfxVarCmdLine2 |
|
4 | |
| Set Environment String | name = SfxVarCmdLine1 |
|
2 | |
| Set Environment String | name = 7zSfxVarCmdLine1 |
|
2 |
Process #2: wscript.exe
103
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | "C:\Windows\System32\wscript.exe" //B "C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" localdiagnostics |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec0 |
| Parent PID | 0xe80 (c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC4
0x
F1C
0x
F4C
0x
F60
0x
F74
0x
F94
0x
FAC
0x
FB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000890000 | 0x00890000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x0089ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b4fff | Private Memory | rw |
|
|
|
- |
| wscript.exe.mui | 0x008b0000 | 0x008b2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa0fff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x00ab0000 | 0x00ac0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b00000 | 0x00bbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00ce9fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| msmplics.dll | 0x00ce0000 | 0x00ce1fff | Memory Mapped File | r |
|
|
|
- |
| jscript.dll.mui | 0x00ce0000 | 0x00ce3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x00e50000 | 0x00e52fff | Memory Mapped File | r |
|
|
|
- |
| wshom.ocx | 0x00e50000 | 0x00e5cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| wmiutils.dll.mui | 0x00eb0000 | 0x00eb4fff | Memory Mapped File | r |
|
|
|
- |
| tzres.dll.mui | 0x00ef0000 | 0x00ef8fff | Memory Mapped File | r |
|
|
|
- |
| scrrun.dll | 0x00ef0000 | 0x00f04fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x010a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x011affff | Private Memory | rw |
|
|
|
- |
| stdole2.tlb | 0x011b0000 | 0x011b4fff | Memory Mapped File | r |
|
|
|
- |
| wbemdisp.tlb | 0x011c0000 | 0x011cefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wscript.exe | 0x011e0000 | 0x01207fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x0520ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005210000 | 0x05210000 | 0x05390fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053a0000 | 0x053a0000 | 0x0679ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x067a0000 | 0x06ad6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000006ae0000 | 0x06ae0000 | 0x06b97fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006ba0000 | 0x06ba0000 | 0x06c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ca0000 | 0x06ca0000 | 0x06d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006da0000 | 0x06da0000 | 0x06e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ea0000 | 0x06ea0000 | 0x06edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ee0000 | 0x06ee0000 | 0x06f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f20000 | 0x06f20000 | 0x06f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f60000 | 0x06f60000 | 0x06f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f70000 | 0x06f70000 | 0x0716ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007170000 | 0x07170000 | 0x0726ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007270000 | 0x07270000 | 0x0736ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007370000 | 0x07370000 | 0x0746ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007470000 | 0x07470000 | 0x0756ffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0x07570000 | 0x07573fff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll | 0x07570000 | 0x0757efff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x07580000 | 0x07592fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000075a0000 | 0x075a0000 | 0x075a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000075b0000 | 0x075b0000 | 0x075b4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000075b0000 | 0x075b0000 | 0x075b8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000075b0000 | 0x075b0000 | 0x075b2fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x731b0000 | 0x7326bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x73270000 | 0x73280fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x73290000 | 0x732adfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x732b0000 | 0x732bcfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x732c0000 | 0x73325fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemdisp.dll | 0x73330000 | 0x73371fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x73380000 | 0x733a2fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x733b0000 | 0x733dafff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x733e0000 | 0x733fefff | Memory Mapped File | rwx |
|
|
|
- |
| mpclient.dll | 0x73410000 | 0x734b1fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x737a0000 | 0x737b6fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x737c0000 | 0x737f4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73800000 | 0x73891fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x738a0000 | 0x738b6fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x73930000 | 0x73939fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x73940000 | 0x7394cfff | Memory Mapped File | rwx |
|
|
|
- |
| mpoav.dll | 0x73950000 | 0x73965fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x739b0000 | 0x739bcfff | Memory Mapped File | rwx |
|
|
|
- |
| jscript.dll | 0x739e0000 | 0x73a82fff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x73ac0000 | 0x73b3ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74470000 | 0x745b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x772e0000 | 0x77337fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f701000 | 0x7f701000 | 0x7f703fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f704000 | 0x7f704000 | 0x7f706fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f707000 | 0x7f707000 | 0x7f709fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f70a000 | 0x7f70a000 | 0x7f70cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f70d000 | 0x7f70d000 | 0x7f70ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f710000 | 0x7f710000 | 0x7f80ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f810000 | 0x7f810000 | 0x7f832fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f833000 | 0x7f833000 | 0x7f833fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f835000 | 0x7f835000 | 0x7f835fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f837000 | 0x7f837000 | 0x7f839fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f83a000 | 0x7f83a000 | 0x7f83cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f83d000 | 0x7f83d000 | 0x7f83ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (34)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | Shell.Application | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 76A64158-CB41-11D1-8B02-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
2 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
12 | |
| Create | 9AED384E-CE8B-11D1-8B05-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 674B6698-EE92-11D0-AD71-00C04FD8FDFF | 44ACA674-E8FC-11D0-A07C-00C04FB68820 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | EB87E1BD-3233-11D2-AEC9-00C04FB68820 | EB87E1BC-3233-11D2-AEC9-00C04FB68820 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 76A64158-CB41-11D1-8B02-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_OperatingSystem |
|
2 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\default |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\default |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_ComputerSystemProduct |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_ComputerSystem |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\ROOT\OpenHardwareMonitor |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 105750, size_out = 105750 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data = 3 |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | size = 1, type = REG_SZ |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x739b0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75430000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x74e70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x11e0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74f39ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x739b3d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x739b40e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x74f24e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x74fa0770 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x11eb650 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x76a30c20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | address_out = 0x755744a0 |
|
1 |
System (40)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 135296 |
|
2 | |
| Get Time | type = Ticks, time = 138921 |
|
1 | |
| Get Time | type = Ticks, time = 139328 |
|
1 | |
| Get Time | type = Ticks, time = 139515 |
|
1 | |
| Get Time | type = Ticks, time = 139531 |
|
1 | |
| Get Time | type = Ticks, time = 157046 |
|
1 | |
| Get Time | type = Ticks, time = 159953 |
|
8 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:32 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 160312 |
|
2 | |
| Get Time | type = Ticks, time = 160328 |
|
10 | |
| Get Time | type = Ticks, time = 160343 |
|
2 | |
| Get Time | type = Ticks, time = 170093 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 |
Process #3: wscript.exe
79
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | "C:\Windows\System32\wscript.exe" //B "C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" drivers |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:02:36 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xecc |
| Parent PID | 0xe80 (c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED0
0x
F0C
0x
F54
0x
F58
0x
F7C
0x
F8C
0x
F98
0x
F9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000690000 | 0x00690000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x0069ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b4fff | Private Memory | rw |
|
|
|
- |
| wscript.exe.mui | 0x006b0000 | 0x006b2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00823fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x00841fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00850000 | 0x0090dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a70fff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x00a80000 | 0x00a90fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00d27fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00ee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f99fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| msmplics.dll | 0x00f90000 | 0x00f91fff | Memory Mapped File | r |
|
|
|
- |
| jscript.dll.mui | 0x00f90000 | 0x00f93fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010f0000 | 0x010f0000 | 0x011a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x011b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011c3fff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x011d0000 | 0x011d2fff | Memory Mapped File | r |
|
|
|
- |
| wshom.ocx | 0x011d0000 | 0x011dcfff | Memory Mapped File | r |
|
|
|
- |
| wscript.exe | 0x011e0000 | 0x01207fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x0520ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005210000 | 0x05210000 | 0x0660ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06610000 | 0x06946fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006950000 | 0x06950000 | 0x06a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a50000 | 0x06a50000 | 0x06b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b50000 | 0x06b50000 | 0x06c4ffff | Private Memory | rw |
|
|
|
- |
| tzres.dll.mui | 0x06c50000 | 0x06c58fff | Memory Mapped File | r |
|
|
|
- |
| stdole2.tlb | 0x06c50000 | 0x06c54fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006c60000 | 0x06c60000 | 0x06c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006c70000 | 0x06c70000 | 0x06e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e70000 | 0x06e70000 | 0x06eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006eb0000 | 0x06eb0000 | 0x06faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006fb0000 | 0x06fb0000 | 0x06feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ff0000 | 0x06ff0000 | 0x070effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000070f0000 | 0x070f0000 | 0x0712ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007130000 | 0x07130000 | 0x0722ffff | Private Memory | rw |
|
|
|
- |
| scrrun.dll | 0x07230000 | 0x07244fff | Memory Mapped File | r |
|
|
|
- |
| wbemdisp.tlb | 0x07250000 | 0x0725efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000007260000 | 0x07260000 | 0x0735ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000007360000 | 0x07360000 | 0x07360fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.1.db | 0x07370000 | 0x07373fff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll | 0x07370000 | 0x0737efff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x07380000 | 0x07392fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000073a0000 | 0x073a0000 | 0x073a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000073b0000 | 0x073b0000 | 0x073b4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x731b0000 | 0x7326bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x73270000 | 0x73280fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x73290000 | 0x732adfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x732b0000 | 0x732bcfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x732c0000 | 0x73325fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemdisp.dll | 0x73330000 | 0x73371fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x73380000 | 0x733a2fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x733b0000 | 0x733dafff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x733e0000 | 0x733fefff | Memory Mapped File | rwx |
|
|
|
- |
| mpclient.dll | 0x73410000 | 0x734b1fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x737a0000 | 0x737b6fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x737c0000 | 0x737f4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73800000 | 0x73891fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x738a0000 | 0x738b6fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x73930000 | 0x73939fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x73940000 | 0x7394cfff | Memory Mapped File | rwx |
|
|
|
- |
| mpoav.dll | 0x73950000 | 0x73965fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x739b0000 | 0x739bcfff | Memory Mapped File | rwx |
|
|
|
- |
| jscript.dll | 0x739e0000 | 0x73a82fff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x73ac0000 | 0x73b3ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74470000 | 0x745b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x772e0000 | 0x77337fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007eae1000 | 0x7eae1000 | 0x7eae3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eae4000 | 0x7eae4000 | 0x7eae6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eae7000 | 0x7eae7000 | 0x7eae9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaea000 | 0x7eaea000 | 0x7eaecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaed000 | 0x7eaed000 | 0x7eaeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7ebeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec15000 | 0x7ec15000 | 0x7ec17fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec18000 | 0x7ec18000 | 0x7ec18fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec19000 | 0x7ec19000 | 0x7ec1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1c000 | 0x7ec1c000 | 0x7ec1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1f000 | 0x7ec1f000 | 0x7ec1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (24)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | Shell.Application | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 76A64158-CB41-11D1-8B02-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
9 | |
| Create | 9AED384E-CE8B-11D1-8B05-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 674B6698-EE92-11D0-AD71-00C04FD8FDFF | 44ACA674-E8FC-11D0-A07C-00C04FB68820 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_OperatingSystem |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\default |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\default |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_PnPSignedDriver |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 105750, size_out = 105750 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data = 3 |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | size = 1, type = REG_SZ |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x739b0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75430000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x74e70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x11e0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74f39ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x739b3d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x739b40e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x74f24e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x74fa0770 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x11eb650 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x76a30c20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | address_out = 0x755744a0 |
|
1 |
System (25)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 135312 |
|
2 | |
| Get Time | type = Ticks, time = 138859 |
|
1 | |
| Get Time | type = Ticks, time = 139468 |
|
1 | |
| Get Time | type = Ticks, time = 139484 |
|
1 | |
| Get Time | type = Ticks, time = 139578 |
|
1 | |
| Get Time | type = Ticks, time = 156843 |
|
1 | |
| Get Time | type = Ticks, time = 159406 |
|
6 | |
| Get Time | type = Ticks, time = 159421 |
|
1 | |
| Get Time | type = Ticks, time = 159437 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:32 (UTC) |
|
2 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 |
Process #4: wscript.exe
87
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | "C:\Windows\System32\wscript.exe" //B "C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" newsoft |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:35, Reason: Self Terminated |
| Monitor Duration | 00:03:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0xe80 (c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED8
0x
F10
0x
F50
0x
F5C
0x
F70
0x
FA8
0x
FB8
0x
FBC
0x
350
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000830000 | 0x00830000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x0083ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x00843fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00854fff | Private Memory | rw |
|
|
|
- |
| wscript.exe.mui | 0x00850000 | 0x00852fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00873fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x009f0000 | 0x00aadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x00d20000 | 0x00d30fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x01037fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x011c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| wscript.exe | 0x011e0000 | 0x01207fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x0520ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005210000 | 0x05210000 | 0x0660ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06610000 | 0x06946fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000006950000 | 0x06950000 | 0x06a07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000006a10000 | 0x06a10000 | 0x06a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006a20000 | 0x06a20000 | 0x06a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a60000 | 0x06a60000 | 0x06b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006b60000 | 0x06b60000 | 0x06b79fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006b60000 | 0x06b60000 | 0x06b6ffff | Private Memory | rw |
|
|
|
- |
| msmplics.dll | 0x06b70000 | 0x06b71fff | Memory Mapped File | r |
|
|
|
- |
| jscript.dll.mui | 0x06b70000 | 0x06b73fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006b80000 | 0x06b80000 | 0x06bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006bc0000 | 0x06bc0000 | 0x06cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006cc0000 | 0x06cc0000 | 0x06cc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006cd0000 | 0x06cd0000 | 0x06cd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ce0000 | 0x06ce0000 | 0x06d1ffff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x06d20000 | 0x06d22fff | Memory Mapped File | r |
|
|
|
- |
| scrrun.dll | 0x06d20000 | 0x06d34fff | Memory Mapped File | r |
|
|
|
- |
| tzres.dll.mui | 0x06d30000 | 0x06d38fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006d40000 | 0x06d40000 | 0x06d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006d50000 | 0x06d50000 | 0x06e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e50000 | 0x06e50000 | 0x0704ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007050000 | 0x07050000 | 0x0714ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007150000 | 0x07150000 | 0x0718ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007190000 | 0x07190000 | 0x0728ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007290000 | 0x07290000 | 0x072cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000072d0000 | 0x072d0000 | 0x073cffff | Private Memory | rw |
|
|
|
- |
| wshom.ocx | 0x073d0000 | 0x073dcfff | Memory Mapped File | r |
|
|
|
- |
| stdole2.tlb | 0x073e0000 | 0x073e4fff | Memory Mapped File | r |
|
|
|
- |
| wbemdisp.tlb | 0x073f0000 | 0x073fefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000007400000 | 0x07400000 | 0x074fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000007500000 | 0x07500000 | 0x07500fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.1.db | 0x07510000 | 0x07513fff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll | 0x07510000 | 0x0751efff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x07520000 | 0x07532fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000007540000 | 0x07540000 | 0x07540fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000007550000 | 0x07550000 | 0x07554fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000007550000 | 0x07550000 | 0x07558fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x731b0000 | 0x7326bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x73270000 | 0x73280fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x73290000 | 0x732adfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x732b0000 | 0x732bcfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x732c0000 | 0x73325fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemdisp.dll | 0x73330000 | 0x73371fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x73380000 | 0x733a2fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x733b0000 | 0x733dafff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x733e0000 | 0x733fefff | Memory Mapped File | rwx |
|
|
|
- |
| mpclient.dll | 0x73410000 | 0x734b1fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x737a0000 | 0x737b6fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x737c0000 | 0x737f4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73800000 | 0x73891fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x738a0000 | 0x738b6fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x73930000 | 0x73939fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x73940000 | 0x7394cfff | Memory Mapped File | rwx |
|
|
|
- |
| mpoav.dll | 0x73950000 | 0x73965fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x739b0000 | 0x739bcfff | Memory Mapped File | rwx |
|
|
|
- |
| jscript.dll | 0x739e0000 | 0x73a82fff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x73ac0000 | 0x73b3ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74470000 | 0x745b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x772e0000 | 0x77337fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f5f1000 | 0x7f5f1000 | 0x7f5f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5f4000 | 0x7f5f4000 | 0x7f5f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5f7000 | 0x7f5f7000 | 0x7f5f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5fa000 | 0x7f5fa000 | 0x7f5fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5fd000 | 0x7f5fd000 | 0x7f5fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f6fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f700000 | 0x7f700000 | 0x7f722fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f723000 | 0x7f723000 | 0x7f725fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f726000 | 0x7f726000 | 0x7f728fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f729000 | 0x7f729000 | 0x7f729fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f72a000 | 0x7f72a000 | 0x7f72afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f72d000 | 0x7f72d000 | 0x7f72ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (23)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | Shell.Application | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 76A64158-CB41-11D1-8B02-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
9 | |
| Create | 9AED384E-CE8B-11D1-8B05-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 674B6698-EE92-11D0-AD71-00C04FD8FDFF | 44ACA674-E8FC-11D0-A07C-00C04FB68820 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_OperatingSystem |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\default |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\default |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 105750, size_out = 105750 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data = 3 |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | size = 1, type = REG_SZ |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Unknown | - |
|
2 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x739b0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75430000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x74e70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x11e0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74f39ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x739b3d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x739b40e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x74f24e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x74fa0770 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x11eb650 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x76a30c20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | address_out = 0x755744a0 |
|
1 |
System (31)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 135328 |
|
2 | |
| Get Time | type = Ticks, time = 139000 |
|
1 | |
| Get Time | type = Ticks, time = 139390 |
|
1 | |
| Get Time | type = Ticks, time = 139406 |
|
1 | |
| Get Time | type = Ticks, time = 139546 |
|
1 | |
| Get Time | type = Ticks, time = 157031 |
|
1 | |
| Get Time | type = Ticks, time = 159890 |
|
8 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:32 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 159921 |
|
4 | |
| Get Time | type = Ticks, time = 159937 |
|
2 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 |
Process #5: wscript.exe
94
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | "C:\Windows\System32\wscript.exe" //B "C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" hardware |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xedc |
| Parent PID | 0xe80 (c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE0
0x
F14
0x
F48
0x
F64
0x
F68
0x
FB4
0x
FC0
0x
FC4
0x
C10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000af0000 | 0x00af0000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b14fff | Private Memory | rw |
|
|
|
- |
| wscript.exe.mui | 0x00b10000 | 0x00b12fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x00d30000 | 0x00d40fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d70000 | 0x00e2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ed9fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| msmplics.dll | 0x00ed0000 | 0x00ed1fff | Memory Mapped File | r |
|
|
|
- |
| jscript.dll.mui | 0x00ed0000 | 0x00ed3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x011d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| wscript.exe | 0x011e0000 | 0x01207fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x0520ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005210000 | 0x05210000 | 0x0530ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x05313fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005320000 | 0x05320000 | 0x05323fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005330000 | 0x05330000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0537ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005380000 | 0x05380000 | 0x05507fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005510000 | 0x05510000 | 0x05690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000056a0000 | 0x056a0000 | 0x06a9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06aa0000 | 0x06dd6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006de0000 | 0x06de0000 | 0x06edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ee0000 | 0x06ee0000 | 0x06fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006fe0000 | 0x06fe0000 | 0x070dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000070e0000 | 0x070e0000 | 0x0711ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007120000 | 0x07120000 | 0x0712ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007130000 | 0x07130000 | 0x0732ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007330000 | 0x07330000 | 0x0742ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007430000 | 0x07430000 | 0x0752ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007530000 | 0x07530000 | 0x0756ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007570000 | 0x07570000 | 0x0766ffff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x07670000 | 0x07672fff | Memory Mapped File | r |
|
|
|
- |
| scrrun.dll | 0x07670000 | 0x07684fff | Memory Mapped File | r |
|
|
|
- |
| tzres.dll.mui | 0x07680000 | 0x07688fff | Memory Mapped File | r |
|
|
|
- |
| wshom.ocx | 0x07690000 | 0x0769cfff | Memory Mapped File | r |
|
|
|
- |
| stdole2.tlb | 0x076a0000 | 0x076a4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000076b0000 | 0x076b0000 | 0x076effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000076f0000 | 0x076f0000 | 0x077effff | Private Memory | rw |
|
|
|
- |
| wbemdisp.tlb | 0x077f0000 | 0x077fefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000007800000 | 0x07800000 | 0x078fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000007900000 | 0x07900000 | 0x07900fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.1.db | 0x07910000 | 0x07913fff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll | 0x07910000 | 0x0791efff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x07920000 | 0x07932fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000007940000 | 0x07940000 | 0x07940fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000007950000 | 0x07950000 | 0x07954fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000007950000 | 0x07950000 | 0x07958fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x731b0000 | 0x7326bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x73270000 | 0x73280fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x73290000 | 0x732adfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x732b0000 | 0x732bcfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x732c0000 | 0x73325fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemdisp.dll | 0x73330000 | 0x73371fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x73380000 | 0x733a2fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x733b0000 | 0x733dafff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x733e0000 | 0x733fefff | Memory Mapped File | rwx |
|
|
|
- |
| mpclient.dll | 0x73410000 | 0x734b1fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x737a0000 | 0x737b6fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x737c0000 | 0x737f4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73800000 | 0x73891fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x738a0000 | 0x738b6fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x73930000 | 0x73939fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x73940000 | 0x7394cfff | Memory Mapped File | rwx |
|
|
|
- |
| mpoav.dll | 0x73950000 | 0x73965fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x739b0000 | 0x739bcfff | Memory Mapped File | rwx |
|
|
|
- |
| jscript.dll | 0x739e0000 | 0x73a82fff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x73ac0000 | 0x73b3ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74470000 | 0x745b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x772e0000 | 0x77337fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fa8b000 | 0x7fa8b000 | 0x7fa8dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa8e000 | 0x7fa8e000 | 0x7fa90fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa91000 | 0x7fa91000 | 0x7fa93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa94000 | 0x7fa94000 | 0x7fa96fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa97000 | 0x7fa97000 | 0x7fa99fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa9a000 | 0x7fa9a000 | 0x7fa9cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa9d000 | 0x7fa9d000 | 0x7fa9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007faa0000 | 0x7faa0000 | 0x7fb9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fba0000 | 0x7fba0000 | 0x7fbc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fbc4000 | 0x7fbc4000 | 0x7fbc6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbc7000 | 0x7fbc7000 | 0x7fbc9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbca000 | 0x7fbca000 | 0x7fbcafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbcd000 | 0x7fbcd000 | 0x7fbcdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\ciihmnxmn6ps\appdata\roaming\drpsu\diagnostics\hardware.json | 18.01 KB |
MD5:
8b2883e1f4b212cb4ac9a663756871ed
SHA1: c02555156146fb07b98e7b36adf716fe4cbd93b2 SHA256: 57e33fc957b5352ad164791f8e4dfd88f726fc5791262de102d304d6b6c17085 SSDeep: 96:LRJIlslZeyUv932jZ8+GB4xrKSHsA13/ZjXn2XIcyYXEzJuA8OIYg/EjV+gnYP3F:LR1ghsXjdipwR9poVRxRCHq |
|
|
Host Behavior
COM (24)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | Shell.Application | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 76A64158-CB41-11D1-8B02-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
9 | |
| Create | 9AED384E-CE8B-11D1-8B05-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 674B6698-EE92-11D0-AD71-00C04FD8FDFF | 44ACA674-E8FC-11D0-A07C-00C04FB68820 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_OperatingSystem |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\default |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\default |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_PnPEntity |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 105750, size_out = 105750 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data = 3 |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | size = 1, type = REG_SZ |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x739b0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75430000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x74e70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x11e0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74f39ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x739b3d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x739b40e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x74f24e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x74fa0770 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x11eb650 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x76a30c20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | address_out = 0x755744a0 |
|
1 |
System (40)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 135375 |
|
2 | |
| Get Time | type = Ticks, time = 138890 |
|
1 | |
| Get Time | type = Ticks, time = 139343 |
|
1 | |
| Get Time | type = Ticks, time = 139359 |
|
1 | |
| Get Time | type = Ticks, time = 139375 |
|
1 | |
| Get Time | type = Ticks, time = 157109 |
|
1 | |
| Get Time | type = Ticks, time = 160250 |
|
7 | |
| Get Time | type = Ticks, time = 160640 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:33 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 163703 |
|
1 | |
| Get Time | type = Ticks, time = 164656 |
|
1 | |
| Get Time | type = Ticks, time = 165281 |
|
1 | |
| Get Time | type = Ticks, time = 165343 |
|
1 | |
| Get Time | type = Ticks, time = 165390 |
|
1 | |
| Get Time | type = Ticks, time = 165437 |
|
1 | |
| Get Time | type = Ticks, time = 166015 |
|
1 | |
| Get Time | type = Ticks, time = 166328 |
|
1 | |
| Get Time | type = Ticks, time = 166937 |
|
1 | |
| Get Time | type = Ticks, time = 167343 |
|
1 | |
| Get Time | type = Ticks, time = 167812 |
|
1 | |
| Get Time | type = Ticks, time = 169484 |
|
1 | |
| Get Time | type = Ticks, time = 170000 |
|
1 | |
| Get Time | type = Ticks, time = 170625 |
|
1 | |
| Get Time | type = Ticks, time = 186000 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 |
Process #6: wscript.exe
81
20
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | "C:\Windows\System32\wscript.exe" //B "C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" binaries |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee4 |
| Parent PID | 0xe80 (c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE8
0x
F18
0x
F40
0x
F6C
0x
F78
0x
F90
0x
FA0
0x
FA4
0x
C38
0x
D94
0x
644
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000330000 | 0x00330000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x0033ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00354fff | Private Memory | rw |
|
|
|
- |
| wscript.exe.mui | 0x00350000 | 0x00352fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00373fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004f0000 | 0x005adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00710fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00723fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x00830000 | 0x00840fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00873fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x008a9fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| msmplics.dll | 0x008a0000 | 0x008a1fff | Memory Mapped File | r |
|
|
|
- |
| jscript.dll.mui | 0x008a0000 | 0x008a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x00a47fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00bd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00be0000 | 0x00f16fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01117fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0115ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011a3fff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x011b0000 | 0x011b2fff | Memory Mapped File | r |
|
|
|
- |
| scrrun.dll | 0x011b0000 | 0x011c4fff | Memory Mapped File | r |
|
|
|
- |
| tzres.dll.mui | 0x011c0000 | 0x011c8fff | Memory Mapped File | r |
|
|
|
- |
| wshom.ocx | 0x011d0000 | 0x011dcfff | Memory Mapped File | r |
|
|
|
- |
| wscript.exe | 0x011e0000 | 0x01207fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x0520ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005210000 | 0x05210000 | 0x0660ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006610000 | 0x06610000 | 0x0670ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006710000 | 0x06710000 | 0x0680ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006810000 | 0x06810000 | 0x0690ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006910000 | 0x06910000 | 0x0694ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006950000 | 0x06950000 | 0x0698ffff | Private Memory | rw |
|
|
|
- |
| stdole2.tlb | 0x06990000 | 0x06994fff | Memory Mapped File | r |
|
|
|
- |
| wbemdisp.tlb | 0x069a0000 | 0x069aefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000069b0000 | 0x069b0000 | 0x069b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000069c0000 | 0x069c0000 | 0x069cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000069d0000 | 0x069d0000 | 0x06bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006bd0000 | 0x06bd0000 | 0x06ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006cd0000 | 0x06cd0000 | 0x06dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006dd0000 | 0x06dd0000 | 0x06e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e10000 | 0x06e10000 | 0x06f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f10000 | 0x06f10000 | 0x06f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f50000 | 0x06f50000 | 0x0704ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007050000 | 0x07050000 | 0x0714ffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0x07150000 | 0x07153fff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll | 0x07150000 | 0x0715efff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x07160000 | 0x07172fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000007180000 | 0x07180000 | 0x07180fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d20000 | 0x71d4ffff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x71d50000 | 0x71d60fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x71d70000 | 0x71e16fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x731b0000 | 0x7326bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x73270000 | 0x73280fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x73290000 | 0x732adfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x732b0000 | 0x732bcfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x732c0000 | 0x73325fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemdisp.dll | 0x73330000 | 0x73371fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x73380000 | 0x733a2fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x733b0000 | 0x733dafff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x733e0000 | 0x733fefff | Memory Mapped File | rwx |
|
|
|
- |
| mpclient.dll | 0x73410000 | 0x734b1fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x737a0000 | 0x737b6fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x737c0000 | 0x737f4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73800000 | 0x73891fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x738a0000 | 0x738b6fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x73930000 | 0x73939fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x73940000 | 0x7394cfff | Memory Mapped File | rwx |
|
|
|
- |
| mpoav.dll | 0x73950000 | 0x73965fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x739b0000 | 0x739bcfff | Memory Mapped File | rwx |
|
|
|
- |
| jscript.dll | 0x739e0000 | 0x73a82fff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x73ac0000 | 0x73b3ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74470000 | 0x745b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x772e0000 | 0x77337fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f89b000 | 0x7f89b000 | 0x7f89dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f89e000 | 0x7f89e000 | 0x7f8a0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8a1000 | 0x7f8a1000 | 0x7f8a3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8a4000 | 0x7f8a4000 | 0x7f8a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8a7000 | 0x7f8a7000 | 0x7f8a9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8aa000 | 0x7f8aa000 | 0x7f8acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8ad000 | 0x7f8ad000 | 0x7f8affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f8b0000 | 0x7f8b0000 | 0x7f9affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9b0000 | 0x7f9b0000 | 0x7f9d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9d5000 | 0x7f9d5000 | 0x7f9d7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9d8000 | 0x7f9d8000 | 0x7f9d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9db000 | 0x7f9db000 | 0x7f9dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9dd000 | 0x7f9dd000 | 0x7f9dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 23 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (25)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | Shell.Application | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 76A64158-CB41-11D1-8B02-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
3 | |
| Create | WinHttp.WinHttpRequest.5.1 | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
4 | |
| Create | ADODB.Stream | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
4 | |
| Execute | WinHttp.WinHttpRequest.5.1 | IDispatch | method_name = Open |
|
1 | |
| Execute | WinHttp.WinHttpRequest.5.1 | IDispatch | method_name = Open |
|
1 | |
| Execute | WinHttp.WinHttpRequest.5.1 | IDispatch | method_name = Open |
|
1 | |
| Execute | WinHttp.WinHttpRequest.5.1 | IDispatch | method_name = Open |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_OperatingSystem |
|
1 |
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | bin\tools\driverpack-wget.exe | - |
|
1 | |
| Create | bin\tools\driverpack-7za.exe | - |
|
1 | |
| Create | bin\tools\devcon64.exe | - |
|
1 | |
| Create | bin\tools\aria2c.exe | - |
|
1 | |
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 105750, size_out = 105750 |
|
1 | |
| Write | bin\tools\driverpack-wget.exe | size = 419216 |
|
1 | |
| Write | bin\tools\driverpack-7za.exe | size = 661392 |
|
1 | |
| Write | bin\tools\devcon64.exe | size = 87952 |
|
1 | |
| Write | bin\tools\aria2c.exe | size = 0 |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data = 3 |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x739b0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75430000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x74e70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x11e0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74f39ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x739b3d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x739b40e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x74f24e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x74fa0770 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x11eb650 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x76a30c20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | address_out = 0x755744a0 |
|
1 |
System (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 135281 |
|
2 | |
| Get Time | type = Ticks, time = 138953 |
|
1 | |
| Get Time | type = Ticks, time = 139437 |
|
1 | |
| Get Time | type = Ticks, time = 139546 |
|
1 | |
| Get Time | type = Ticks, time = 139562 |
|
1 | |
| Get Time | type = Ticks, time = 157093 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 |
Network Behavior
HTTP Sessions (4)
| Information | Value |
|---|---|
| Total Data Sent | 1.37 KB |
| Total Data Received | 1.11 MB |
| Contacted Host Count | 1 |
| Contacted Hosts | download.drp.su |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | download.drp.su |
| Server Port | 80 |
| Data Sent | 355 |
| Data Received | 419216 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = download.drp.su, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /updates/beetle/driverpack-wget.exe |
|
1 | |
| Send HTTP Request | url = http://download.drp.su/updates/beetle/driverpack-wget.exe |
|
1 | |
| Read Response | size_out = 419216 |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | download.drp.su |
| Server Port | 80 |
| Data Sent | 354 |
| Data Received | 661392 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = download.drp.su, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /updates/beetle/driverpack-7za.exe |
|
1 | |
| Send HTTP Request | url = http://download.drp.su/updates/beetle/driverpack-7za.exe |
|
1 | |
| Read Response | size_out = 661392 |
|
1 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | download.drp.su |
| Server Port | 80 |
| Data Sent | 348 |
| Data Received | 87952 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = download.drp.su, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /updates/beetle/devcon64.exe |
|
1 | |
| Send HTTP Request | url = http://download.drp.su/updates/beetle/devcon64.exe |
|
1 | |
| Read Response | size_out = 87952 |
|
1 |
HTTP Session #4
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | download.drp.su |
| Server Port | 80 |
| Data Sent | 346 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = download.drp.su, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /updates/beetle/aria2c.exe |
|
1 | |
| Send HTTP Request | url = http://download.drp.su/updates/beetle/aria2c.exe |
|
1 | |
| Read Response | size_out = 0 |
|
1 |
Process #7: driverpack.exe
8
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\7zipsfx.000\driverpack.exe |
| Command Line | "C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\DriverPack.exe" --sfx "DriverPack-17-Online.exe" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:49 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeec |
| Parent PID | 0xe80 (c:\users\ciihmnxmn6ps\desktop\driverpack-17-online.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF0
0x
FE8
0x
FF4
0x
FF8
0x
C18
0x
C40
0x
B40
0x
C3C
0x
908
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00034fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002c0000 | 0x0037dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00380fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x003e0000 | 0x003e3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x003f0000 | 0x003f3fff | Memory Mapped File | r |
|
|
|
- |
| driverpack.exe | 0x00400000 | 0x00417fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0x004a0000 | 0x004b0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x00747fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x00750000 | 0x00792fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x01d4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x01d50000 | 0x01ddafff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x01de0000 | 0x01df2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e00000 | 0x01e00000 | 0x01e00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001e10000 | 0x01e10000 | 0x01e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e70000 | 0x021a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x025affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x027affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a30000 | 0x02a30000 | 0x02c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e70000 | 0x02e70000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x030affff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| sfc.dll | 0x66680000 | 0x66682fff | Memory Mapped File | rwx |
|
|
|
- |
| sfc_os.dll | 0x73400000 | 0x7340efff | Memory Mapped File | rwx |
|
|
|
- |
| aclayers.dll | 0x734c0000 | 0x73737fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73740000 | 0x73760fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x73770000 | 0x73792fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x737a0000 | 0x737b6fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73926fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x73990000 | 0x739a7fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x739c0000 | 0x739d3fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x73a90000 | 0x73ab3fff | Memory Mapped File | rwx |
|
|
|
- |
| acgenral.dll | 0x73b40000 | 0x73da3fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73dc0000 | 0x74080fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74090000 | 0x741effff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74470000 | 0x745b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76a90000 | 0x76c34fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fb20000 | 0x7feaffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007fea1000 | 0x7fea1000 | 0x7fea3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\cmd.exe | show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\System32\mshta.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | libgcc_s_dw2-1.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\users\ciihmn~1\appdata\local\temp\7zipsfx.000\driverpack.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | c:\users\ciihmn~1\appdata\local\temp\7zipsfx.000\driverpack.exe | process_name = c:\users\ciihmn~1\appdata\local\temp\7zipsfx.000\driverpack.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\DriverPack.exe, size = 260 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Set Environment String | name = SEE_MASK_NOZONECHECKS, value = 1 |
|
1 |
Process #8: cmd.exe
640
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c Tools\init.cmd "C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\run.hta" "--sfx" "DriverPack-17-Online.exe" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xeec (c:\users\ciihmn~1\appdata\local\temp\7zipsfx.000\driverpack.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
658
0x
C90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00350000 | 0x0039ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x0444ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x0446ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004450000 | 0x04450000 | 0x0445ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x04463fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x04474fff | Private Memory | rw |
|
|
|
- |
| sfc.dll | 0x04470000 | 0x04472fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000004480000 | 0x04480000 | 0x04493fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x044dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x045dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045e0000 | 0x045e0000 | 0x045e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000045f0000 | 0x045f0000 | 0x045f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x04601fff | Private Memory | rw |
|
|
|
- |
| cmd.exe.mui | 0x04610000 | 0x04630fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x04640fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x04650fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x04663fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004670000 | 0x04670000 | 0x0467ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04680000 | 0x0473dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004740000 | 0x04740000 | 0x0483ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004840000 | 0x04840000 | 0x049c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a20000 | 0x04a20000 | 0x04ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x05faffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005fb0000 | 0x05fb0000 | 0x060affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000060b0000 | 0x060b0000 | 0x060bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006160000 | 0x06160000 | 0x0616ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x06170000 | 0x064a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x731a0000 | 0x731a7fff | Memory Mapped File | rwx |
|
|
|
- |
| sfc_os.dll | 0x73400000 | 0x7340efff | Memory Mapped File | rwx |
|
|
|
- |
| aclayers.dll | 0x734c0000 | 0x73737fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73740000 | 0x73760fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x73770000 | 0x73792fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x737a0000 | 0x737b6fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73926fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x73990000 | 0x739a7fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x739c0000 | 0x739d3fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x73a90000 | 0x73ab3fff | Memory Mapped File | rwx |
|
|
|
- |
| acgenral.dll | 0x73b40000 | 0x73da3fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73dc0000 | 0x74080fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74090000 | 0x741effff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76a90000 | 0x76c34fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7ec30000 | 0x7efbffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7f0bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f0e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e7000 | 0x7f0e7000 | 0x7f0e7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0e8000 | 0x7f0e8000 | 0x7f0eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0eb000 | 0x7f0eb000 | 0x7f0ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ed000 | 0x7f0ed000 | 0x7f0effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\\modules\clientid.js | 0.05 KB |
MD5:
1f15d6213e03b6846384b5dc25954fac
SHA1: 88c8de0bc50e6c516bd82e4e70f9cf0fc570e9de SHA256: 5792cc03e923005f27d99fb7e9428617784c87f50551101ca6a7c150986e49f4 SSDeep: 3:qGQ6hAq4ATbkA+cn:qGLV8A+cn |
|
|
Host Behavior
File (573)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\init.cmd | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
9 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\init.cmd | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
9 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\\modules\clientid.js | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\init.cmd | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
9 | |
| Create | nul | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin | type = file_attributes |
|
2 | |
| Get Info | Tools\init.cmd | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
16 | |
| Get Info | - | type = size |
|
1 | |
| Get Info | - | type = file_type |
|
63 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
3 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | call:reg | type = file_attributes |
|
1 | |
| Get Info | - | type = size |
|
3 | |
| Get Info | - | type = file_type |
|
16 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
43 | |
| Open | STD_INPUT_HANDLE | - |
|
15 | |
| Open | - | - |
|
57 | |
| Open | - | - |
|
163 | |
| Open | - | - |
|
52 | |
| Open | STD_ERROR_HANDLE | - |
|
8 | |
| Read | - | size = 8191, size_out = 852 |
|
1 | |
| Read | - | size = 8191, size_out = 841 |
|
1 | |
| Read | - | size = 8191, size_out = 839 |
|
1 | |
| Read | - | size = 8191, size_out = 824 |
|
1 | |
| Read | - | size = 8191, size_out = 822 |
|
1 | |
| Read | - | size = 8191, size_out = 795 |
|
1 | |
| Read | - | size = 8191, size_out = 788 |
|
1 | |
| Read | - | size = 8191, size_out = 786 |
|
1 | |
| Read | - | size = 8191, size_out = 775 |
|
1 | |
| Read | - | size = 8191, size_out = 756 |
|
1 | |
| Read | - | size = 8191, size_out = 733 |
|
1 | |
| Read | - | size = 8191, size_out = 702 |
|
1 | |
| Read | - | size = 8191, size_out = 691 |
|
1 | |
| Read | - | size = 8191, size_out = 686 |
|
1 | |
| Read | - | size = 8191, size_out = 677 |
|
1 | |
| Read | - | size = 8191, size_out = 659 |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
13 | |
| Read | - | size = 512, size_out = 475 |
|
1 | |
| Read | - | size = 512, size_out = 472 |
|
1 | |
| Read | - | size = 512, size_out = 470 |
|
1 | |
| Read | - | size = 512, size_out = 448 |
|
1 | |
| Read | - | size = 512, size_out = 415 |
|
1 | |
| Read | - | size = 512, size_out = 413 |
|
1 | |
| Read | - | size = 512, size_out = 402 |
|
1 | |
| Read | - | size = 512, size_out = 400 |
|
1 | |
| Read | - | size = 512, size_out = 374 |
|
1 | |
| Read | - | size = 512, size_out = 348 |
|
1 | |
| Read | - | size = 512, size_out = 322 |
|
1 | |
| Read | - | size = 512, size_out = 320 |
|
1 | |
| Read | - | size = 512, size_out = 314 |
|
1 | |
| Read | - | size = 512, size_out = 296 |
|
1 | |
| Read | - | size = 512, size_out = 258 |
|
1 | |
| Read | - | size = 512, size_out = 219 |
|
1 | |
| Read | - | size = 512, size_out = 163 |
|
1 | |
| Read | - | size = 512, size_out = 118 |
|
1 | |
| Read | - | size = 512, size_out = 113 |
|
1 | |
| Read | - | size = 512, size_out = 103 |
|
1 | |
| Read | - | size = 512, size_out = 56 |
|
1 | |
| Read | - | size = 512, size_out = 14 |
|
1 | |
| Read | - | size = 512, size_out = 11 |
|
1 | |
| Read | - | size = 512, size_out = 0 |
|
1 | |
| Read | - | size = 8191, size_out = 775 |
|
1 | |
| Read | - | size = 8191, size_out = 756 |
|
1 | |
| Read | - | size = 8191, size_out = 733 |
|
1 | |
| Read | - | size = 8191, size_out = 702 |
|
1 | |
| Read | - | size = 8191, size_out = 691 |
|
1 | |
| Read | - | size = 8191, size_out = 686 |
|
1 | |
| Read | - | size = 8191, size_out = 677 |
|
1 | |
| Read | - | size = 8191, size_out = 659 |
|
1 | |
| Read | - | size = 8191, size_out = 656 |
|
1 | |
| Read | - | size = 8191, size_out = 654 |
|
1 | |
| Read | - | size = 8191, size_out = 638 |
|
1 | |
| Read | - | size = 8191, size_out = 608 |
|
1 | |
| Read | - | size = 8191, size_out = 554 |
|
1 | |
| Read | - | size = 8191, size_out = 475 |
|
1 | |
| Read | - | size = 8191, size_out = 472 |
|
1 | |
| Read | - | size = 8191, size_out = 470 |
|
1 | |
| Read | - | size = 8191, size_out = 448 |
|
1 | |
| Read | - | size = 512, size_out = 415 |
|
1 | |
| Read | - | size = 512, size_out = 413 |
|
1 | |
| Read | - | size = 512, size_out = 402 |
|
1 | |
| Read | - | size = 512, size_out = 400 |
|
1 | |
| Read | - | size = 512, size_out = 374 |
|
1 | |
| Read | - | size = 512, size_out = 348 |
|
1 | |
| Read | - | size = 512, size_out = 322 |
|
1 | |
| Read | - | size = 512, size_out = 320 |
|
1 | |
| Read | - | size = 8191, size_out = 314 |
|
1 | |
| Read | - | size = 8191, size_out = 296 |
|
1 | |
| Read | - | size = 8191, size_out = 258 |
|
1 | |
| Read | - | size = 8191, size_out = 219 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 118 |
|
1 | |
| Read | - | size = 8191, size_out = 113 |
|
1 | |
| Read | - | size = 8191, size_out = 103 |
|
1 | |
| Read | - | size = 8191, size_out = 56 |
|
1 | |
| Read | - | size = 8191, size_out = 14 |
|
1 | |
| Read | - | size = 8191, size_out = 11 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
4 | |
| Read | - | size = 8191, size_out = 415 |
|
1 | |
| Read | - | size = 8191, size_out = 413 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 50 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0x88c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\sysnative\reg.exe | os_pid = 0x5c8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x350000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x734fda50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (38)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = cwd, result_out = C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\ |
|
4 | |
| Get Environment String | name = executeFileName, result_out = DriverPack-17-Online.exe |
|
2 | |
| Get Environment String | name = PROCESSOR_ARCHITECTURE, result_out = x86 |
|
1 | |
| Get Environment String | name = windir, result_out = C:\Windows |
|
2 | |
| Get Environment String | name = PROCESSOR_ARCHITEW6432, result_out = AMD64 |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin |
|
1 | |
| Set Environment String | name = cwd, value = C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\ |
|
1 | |
| Set Environment String | name = executeFileName, value = DriverPack-17-Online.exe |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 |
Process #10: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:36, Reason: RPC Server |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:35 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x330 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
EBC
0x
F30
0x
EAC
0x
EA8
0x
E1C
0x
DE0
0x
DC4
0x
DC0
0x
78C
0x
B14
0x
BF4
0x
AE0
0x
8E8
0x
8E0
0x
820
0x
7B4
0x
784
0x
8EC
0x
734
0x
4F0
0x
A80
0x
83C
0x
760
0x
89C
0x
874
0x
870
0x
7E0
0x
7BC
0x
788
0x
764
0x
75C
0x
74C
0x
6F8
0x
6F0
0x
6E0
0x
6D8
0x
6D0
0x
6C0
0x
684
0x
678
0x
66C
0x
660
0x
64C
0x
648
0x
60C
0x
5F4
0x
5C4
0x
598
0x
528
0x
510
0x
280
0x
498
0x
494
0x
100
0x
138
0x
1E4
0x
168
0x
12C
0x
130
0x
124
0x
FC
0x
F8
0x
3F0
0x
3D8
0x
3D4
0x
3CC
0x
3C0
0x
39C
0x
334
0x
A48
0x
C5C
0x
A74
0x
C9C
0x
CA4
0x
CAC
0x
CA8
0x
CA0
0x
C8C
0x
C88
0x
C84
0x
C7C
0x
A5C
0x
B0
0x
208
0x
D2C
0x
CB0
0x
204
0x
F4
0x
1B8
0x
1F8
0x
594
0x
9D8
0x
2D8
0x
858
0x
B5C
0x
BD4
0x
D64
0x
D48
0x
D40
0x
EA4
0x
F88
0x
350
0x
27C
0x
C64
0x
C50
0x
630
0x
E98
0x
ACC
0x
C58
0x
C94
0x
E28
0x
DC0
0x
D5C
0x
644
0x
F1C
0x
73C
0x
6BC
0x
89C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3940000 | 0xeaf3940000 | 0xeaf394ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xeaf3950000 | 0xeaf3950fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf3960000 | 0xeaf3960000 | 0xeaf3973fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf3980000 | 0xeaf3980000 | 0xeaf39fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3a00000 | 0xeaf3a00000 | 0xeaf3a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3a10000 | 0xeaf3a10000 | 0xeaf3a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf3a20000 | 0xeaf3a20000 | 0xeaf3a21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xeaf3a30000 | 0xeaf3aedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3af0000 | 0xeaf3af0000 | 0xeaf3b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3b70000 | 0xeaf3b70000 | 0xeaf3b70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3b80000 | 0xeaf3b80000 | 0xeaf3b80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3b90000 | 0xeaf3b90000 | 0xeaf3b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3ba0000 | 0xeaf3ba0000 | 0xeaf3ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3bb0000 | 0xeaf3bb0000 | 0xeaf3bb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3bc0000 | 0xeaf3bc0000 | 0xeaf3bc1fff | Pagefile Backed Memory | r |
|
|
|
- |
| iphlpsvc.dll.mui | 0xeaf3bd0000 | 0xeaf3bdcfff | Memory Mapped File | r |
|
|
|
- |
| gpsvc.dll.mui | 0xeaf3be0000 | 0xeaf3becfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xeaf3bf0000 | 0xeaf3bf3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xeaf3c00000 | 0xeaf3c03fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3c10000 | 0xeaf3c10000 | 0xeaf3c16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3c20000 | 0xeaf3c20000 | 0xeaf3cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| propsys.dll.mui | 0xeaf3ce0000 | 0xeaf3cf0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3d00000 | 0xeaf3d00000 | 0xeaf3dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3e00000 | 0xeaf3e00000 | 0xeaf3e7ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xeaf3e80000 | 0xeaf3ec2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf3ed0000 | 0xeaf3ed0000 | 0xeaf3ed1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3ee0000 | 0xeaf3ee0000 | 0xeaf3ee0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eaf3ef0000 | 0xeaf3ef0000 | 0xeaf3ef6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3f00000 | 0xeaf3f00000 | 0xeaf3ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4000000 | 0xeaf4000000 | 0xeaf4187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf4190000 | 0xeaf4190000 | 0xeaf4310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf4320000 | 0xeaf4320000 | 0xeaf441ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4420000 | 0xeaf4420000 | 0xeaf451ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4520000 | 0xeaf4520000 | 0xeaf4522fff | Pagefile Backed Memory | r |
|
|
|
- |
| vsstrace.dll.mui | 0xeaf4530000 | 0xeaf4538fff | Memory Mapped File | r |
|
|
|
- |
| activeds.dll.mui | 0xeaf4540000 | 0xeaf4541fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll | 0xeaf4550000 | 0xeaf4554fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf4560000 | 0xeaf4560000 | 0xeaf4560fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4570000 | 0xeaf4570000 | 0xeaf4570fff | Pagefile Backed Memory | rw |
|
|
|
- |
| winnlsres.dll.mui | 0xeaf4580000 | 0xeaf458ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf4590000 | 0xeaf4590000 | 0xeaf4596fff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0xeaf45b0000 | 0xeaf45b2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf45c0000 | 0xeaf45c0000 | 0xeaf45d7fff | Private Memory | rw |
|
|
|
- |
| usocore.dll.mui | 0xeaf45e0000 | 0xeaf45e0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf45f0000 | 0xeaf45f0000 | 0xeaf45f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf4600000 | 0xeaf4600000 | 0xeaf46fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4700000 | 0xeaf4700000 | 0xeaf47fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xeaf4800000 | 0xeaf4b36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf4b40000 | 0xeaf4b40000 | 0xeaf4c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4c40000 | 0xeaf4c40000 | 0xeaf4d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4d40000 | 0xeaf4d40000 | 0xeaf4e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4e40000 | 0xeaf4e40000 | 0xeaf4f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4f40000 | 0xeaf4f40000 | 0xeaf503ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5070000 | 0xeaf5070000 | 0xeaf5076fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5080000 | 0xeaf5080000 | 0xeaf50fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5100000 | 0xeaf5100000 | 0xeaf51fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5200000 | 0xeaf5200000 | 0xeaf527ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5280000 | 0xeaf5280000 | 0xeaf52fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5300000 | 0xeaf5300000 | 0xeaf53fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5400000 | 0xeaf5400000 | 0xeaf54fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5500000 | 0xeaf5500000 | 0xeaf557ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5580000 | 0xeaf5580000 | 0xeaf55fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5600000 | 0xeaf5600000 | 0xeaf56fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5700000 | 0xeaf5700000 | 0xeaf57fffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xeaf5800000 | 0xeaf588afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf5890000 | 0xeaf5890000 | 0xeaf598ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5990000 | 0xeaf5990000 | 0xeaf5a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5a90000 | 0xeaf5a90000 | 0xeaf5b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5b90000 | 0xeaf5b90000 | 0xeaf5c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5c90000 | 0xeaf5c90000 | 0xeaf5d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5d90000 | 0xeaf5d90000 | 0xeaf5e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5f00000 | 0xeaf5f00000 | 0xeaf5ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6000000 | 0xeaf6000000 | 0xeaf607ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6080000 | 0xeaf6080000 | 0xeaf617ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6180000 | 0xeaf6180000 | 0xeaf627ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6280000 | 0xeaf6280000 | 0xeaf637ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6380000 | 0xeaf6380000 | 0xeaf63fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6430000 | 0xeaf6430000 | 0xeaf652ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6530000 | 0xeaf6530000 | 0xeaf662ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6690000 | 0xeaf6690000 | 0xeaf670ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6770000 | 0xeaf6770000 | 0xeaf6776fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6780000 | 0xeaf6780000 | 0xeaf687ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6900000 | 0xeaf6900000 | 0xeaf69fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6a00000 | 0xeaf6a00000 | 0xeaf6afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6b00000 | 0xeaf6b00000 | 0xeaf6b7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0xeaf6b80000 | 0xeaf6c5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf6c60000 | 0xeaf6c60000 | 0xeaf6d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6de0000 | 0xeaf6de0000 | 0xeaf6e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6e60000 | 0xeaf6e60000 | 0xeaf6f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6f60000 | 0xeaf6f60000 | 0xeaf705ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7060000 | 0xeaf7060000 | 0xeaf715ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7160000 | 0xeaf7160000 | 0xeaf725ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7260000 | 0xeaf7260000 | 0xeaf735ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7360000 | 0xeaf7360000 | 0xeaf745ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7460000 | 0xeaf7460000 | 0xeaf755ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7560000 | 0xeaf7560000 | 0xeaf75dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf75e0000 | 0xeaf75e0000 | 0xeaf75e6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7600000 | 0xeaf7600000 | 0xeaf76fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7700000 | 0xeaf7700000 | 0xeaf77fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7800000 | 0xeaf7800000 | 0xeaf78fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7900000 | 0xeaf7900000 | 0xeaf79fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7a00000 | 0xeaf7a00000 | 0xeaf7afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7b00000 | 0xeaf7b00000 | 0xeaf7bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7c00000 | 0xeaf7c00000 | 0xeaf7cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7d00000 | 0xeaf7d00000 | 0xeaf7dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7e00000 | 0xeaf7e00000 | 0xeaf7efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7f00000 | 0xeaf7f00000 | 0xeaf7f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7f80000 | 0xeaf7f80000 | 0xeaf807ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8080000 | 0xeaf8080000 | 0xeaf817ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8190000 | 0xeaf8190000 | 0xeaf8196fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8200000 | 0xeaf8200000 | 0xeaf82fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8300000 | 0xeaf8300000 | 0xeaf837ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8380000 | 0xeaf8380000 | 0xeaf847ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf8480000 | 0xeaf8480000 | 0xeaf857ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eaf8590000 | 0xeaf8590000 | 0xeaf8596fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf85a0000 | 0xeaf85a0000 | 0xeaf869ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8720000 | 0xeaf8720000 | 0xeaf8726fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8730000 | 0xeaf8730000 | 0xeaf882ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8830000 | 0xeaf8830000 | 0xeaf892ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8930000 | 0xeaf8930000 | 0xeaf8a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8a30000 | 0xeaf8a30000 | 0xeaf8b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8c00000 | 0xeaf8c00000 | 0xeaf8cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8e00000 | 0xeaf8e00000 | 0xeaf8efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8f00000 | 0xeaf8f00000 | 0xeaf8ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9000000 | 0xeaf9000000 | 0xeaf90fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9100000 | 0xeaf9100000 | 0xeaf91fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9700000 | 0xeaf9700000 | 0xeaf97fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9800000 | 0xeaf9800000 | 0xeaf98fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9900000 | 0xeaf9900000 | 0xeaf99fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff1f0000 | 0x7df5ff1f0000 | 0x7ff5ff1effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff672ed4000 | 0x7ff672ed4000 | 0x7ff672ed5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ed6000 | 0x7ff672ed6000 | 0x7ff672ed7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ed8000 | 0x7ff672ed8000 | 0x7ff672ed9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672eda000 | 0x7ff672eda000 | 0x7ff672edbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ee6000 | 0x7ff672ee6000 | 0x7ff672ee7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ee8000 | 0x7ff672ee8000 | 0x7ff672ee9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672eea000 | 0x7ff672eea000 | 0x7ff672eebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672eec000 | 0x7ff672eec000 | 0x7ff672eedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672eee000 | 0x7ff672eee000 | 0x7ff672eeffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef0000 | 0x7ff672ef0000 | 0x7ff672ef1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef4000 | 0x7ff672ef4000 | 0x7ff672ef5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef6000 | 0x7ff672ef6000 | 0x7ff672ef7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef8000 | 0x7ff672ef8000 | 0x7ff672ef9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672efa000 | 0x7ff672efa000 | 0x7ff672efbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672efc000 | 0x7ff672efc000 | 0x7ff672efdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672efe000 | 0x7ff672efe000 | 0x7ff672efffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f00000 | 0x7ff672f00000 | 0x7ff672f01fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f02000 | 0x7ff672f02000 | 0x7ff672f03fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f04000 | 0x7ff672f04000 | 0x7ff672f05fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 391 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #12: reg.exe
104
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg import C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\\patch.reg |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:01:41, Reason: Child Process |
| Unmonitor | End Time: 00:01:43, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x88c |
| Parent PID | 0xb58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A3C
0x
BEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a10000 | 0x00a10000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a34fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b20000 | 0x00bddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| reg.exe | 0x00e20000 | 0x00e72fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x04e7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| kernelbase.dll.mui | 0x04e80000 | 0x04f5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05080000 | 0x053b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7e7c0000 | 0x7eb4ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007eb50000 | 0x7eb50000 | 0x7ec4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec50000 | 0x7ec50000 | 0x7ec72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec73000 | 0x7ec73000 | 0x7ec73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec76000 | 0x7ec76000 | 0x7ec76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec7a000 | 0x7ec7a000 | 0x7ec7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec7d000 | 0x7ec7d000 | 0x7ec7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | type = size |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
2 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | size = 2, size_out = 2 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | size = 65536, size_out = 5331 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | size = 65536, size_out = 0 |
|
3 |
Registry (62)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Styles | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQUEST | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update | value_name = http, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update | value_name = https, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = GlobalUserOffline, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles | value_name = MaxScriptStatements, data = 4294967295, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Styles | value_name = MaxScriptStatements, data = 4294967295, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | value_name = mshta.exe, data = 9999, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQUEST | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css | value_name = Content Type, data = text/css, size = 18, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm | value_name = Content Type, data = text/html, size = 20, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html | value_name = Content Type, data = text/html, size = 20, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js | value_name = Content Type, data = application/javascript, size = 46, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0xe20000 |
|
1 |
Process #13: reg.exe
104
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | C:\Windows\sysnative\reg.exe import C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\\patch.reg |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:01:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5c8 |
| Parent PID | 0xb58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C04
0x
574
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007f9f3000 | 0x7f9f3000 | 0x7f9f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004efaa70000 | 0x4efaa70000 | 0x4efaa8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004efaa70000 | 0x4efaa70000 | 0x4efaa7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004efaa80000 | 0x4efaa80000 | 0x4efaa86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004efaa90000 | 0x4efaa90000 | 0x4efaaa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004efaab0000 | 0x4efaab0000 | 0x4efab2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004efab30000 | 0x4efab30000 | 0x4efab33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004efab40000 | 0x4efab40000 | 0x4efab40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004efab50000 | 0x4efab50000 | 0x4efab51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004efab60000 | 0x4efab60000 | 0x4efabdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004efabe0000 | 0x4efabe0000 | 0x4efabe6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004efac00000 | 0x4efac00000 | 0x4efacfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4efad00000 | 0x4efadbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004efadc0000 | 0x4efadc0000 | 0x4efaebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004efaf00000 | 0x4efaf00000 | 0x4efaf0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x4efaf10000 | 0x4efb246fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x4efb250000 | 0x4efb32efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff3c0000 | 0x7df5ff3c0000 | 0x7ff5ff3bffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff655200000 | 0x7ff655200000 | 0x7ff6552fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff655300000 | 0x7ff655300000 | 0x7ff655322fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff65532b000 | 0x7ff65532b000 | 0x7ff65532bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65532c000 | 0x7ff65532c000 | 0x7ff65532dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65532e000 | 0x7ff65532e000 | 0x7ff65532ffff | Private Memory | rw |
|
|
|
- |
| reg.exe | 0x7ff655e00000 | 0x7ff655e55fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | type = size |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
2 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | size = 2, size_out = 2 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | size = 65536, size_out = 5331 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg | size = 65536, size_out = 0 |
|
3 |
Registry (62)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Styles | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQUEST | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update | value_name = http, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update | value_name = https, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = GlobalUserOffline, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles | value_name = MaxScriptStatements, data = 4294967295, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Styles | value_name = MaxScriptStatements, data = 4294967295, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | value_name = mshta.exe, data = 9999, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQUEST | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING | value_name = mshta.exe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING | value_name = mshta.exe, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css | value_name = Content Type, data = text/css, size = 18, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm | value_name = Content Type, data = text/html, size = 20, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html | value_name = Content Type, data = text/html, size = 20, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js | value_name = Content Type, data = application/javascript, size = 46, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0x7ff655e00000 |
|
1 |
Process #14: mshta.exe
1079
10
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\mshta.exe |
| Command Line | "C:\Windows\System32\mshta.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\run.hta" "--sfx" "DriverPack-17-Online.exe" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd18 |
| Parent PID | 0xeec (c:\users\ciihmn~1\appdata\local\temp\7zipsfx.000\driverpack.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2FC
0x
854
0x
898
0x
D6C
0x
D68
0x
E50
0x
D9C
0x
D78
0x
E10
0x
E14
0x
E78
0x
250
0x
16C
0x
704
0x
E68
0x
E74
0x
E7C
0x
E64
0x
E34
0x
3C8
0x
B68
0x
5D8
0x
C78
0x
374
0x
F30
0x
90C
0x
590
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000150000 | 0x00150000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x0015ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00163fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00174fff | Private Memory | rw |
|
|
|
- |
| mshta.exe.mui | 0x00170000 | 0x00170fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00360000 | 0x0041dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00420fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00630000 | 0x00659fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00630fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00760fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00773fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00783fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00790fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007c0000 | 0x00af6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00c87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00e10fff | Pagefile Backed Memory | r |
|
|
|
- |
| mshta.exe | 0x00e20000 | 0x00e27fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x04e2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x0622ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006230000 | 0x06230000 | 0x063bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006230000 | 0x06230000 | 0x0632ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006330000 | 0x06330000 | 0x0639ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006330000 | 0x06330000 | 0x06330fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x06340000 | 0x06340fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000006340000 | 0x06340000 | 0x06340fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000006350000 | 0x06350000 | 0x06351fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000006360000 | 0x06360000 | 0x06361fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000006370000 | 0x06370000 | 0x06370fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000006380000 | 0x06380000 | 0x06383fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006390000 | 0x06390000 | 0x0639ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000063a0000 | 0x063a0000 | 0x063a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000063b0000 | 0x063b0000 | 0x063bffff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0x063c0000 | 0x06450fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000063c0000 | 0x063c0000 | 0x06477fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006480000 | 0x06480000 | 0x064bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064c0000 | 0x064c0000 | 0x0650ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006510000 | 0x06510000 | 0x0654ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006550000 | 0x06550000 | 0x0659ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000065a0000 | 0x065a0000 | 0x065dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000065e0000 | 0x065e0000 | 0x0662ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006630000 | 0x06630000 | 0x0666ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006670000 | 0x06670000 | 0x0676ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006770000 | 0x06770000 | 0x067effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006770000 | 0x06770000 | 0x067affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000067b0000 | 0x067b0000 | 0x067d9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000067e0000 | 0x067e0000 | 0x067effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000067f0000 | 0x067f0000 | 0x068effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068f0000 | 0x068f0000 | 0x0692ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006930000 | 0x06930000 | 0x06a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a30000 | 0x06a30000 | 0x06a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a70000 | 0x06a70000 | 0x06b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b70000 | 0x06b70000 | 0x06baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006bb0000 | 0x06bb0000 | 0x06caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006cb0000 | 0x06cb0000 | 0x06ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006cf0000 | 0x06cf0000 | 0x06deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006df0000 | 0x06df0000 | 0x06df0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e00000 | 0x06e00000 | 0x06e00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e10000 | 0x06e10000 | 0x06e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e50000 | 0x06e50000 | 0x06f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f50000 | 0x06f50000 | 0x06f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f90000 | 0x06f90000 | 0x0708ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000007090000 | 0x07090000 | 0x07090fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x072c0000 | 0x072c0fff | Memory Mapped File | rw |
|
|
|
|
| msimgsiz.dat | 0x072d0000 | 0x072dbfff | Memory Mapped File | rw |
|
|
|
|
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x70bc0000 | 0x70dd7fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x70de0000 | 0x70ff2fff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x71010000 | 0x7102dfff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x71230000 | 0x712adfff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x712c0000 | 0x714affff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x714d0000 | 0x71957fff | Memory Mapped File | rwx |
|
|
|
- |
| directmanipulation.dll | 0x71a70000 | 0x71adffff | Memory Mapped File | rwx |
|
|
|
- |
| msimtf.dll | 0x71b40000 | 0x71b4dfff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x71cc0000 | 0x71d0cfff | Memory Mapped File | rwx |
|
|
|
- |
| mshtml.dll | 0x71e20000 | 0x731a1fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x73940000 | 0x7394cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73dc0000 | 0x74080fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74090000 | 0x741effff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x749f0000 | 0x74bf8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007eff2000 | 0x7eff2000 | 0x7eff4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eff5000 | 0x7eff5000 | 0x7eff7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eff8000 | 0x7eff8000 | 0x7effafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007effb000 | 0x7effb000 | 0x7effdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007effe000 | 0x7effe000 | 0x7f000fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f001000 | 0x7f001000 | 0x7f003fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f004000 | 0x7f004000 | 0x7f006fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f007000 | 0x7f007000 | 0x7f009fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00a000 | 0x7f00a000 | 0x7f00cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00d000 | 0x7f00d000 | 0x7f00ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f010000 | 0x7f010000 | 0x7f10ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f110000 | 0x7f110000 | 0x7f132fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f133000 | 0x7f133000 | 0x7f133fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f136000 | 0x7f136000 | 0x7f138fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f139000 | 0x7f139000 | 0x7f13bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f13c000 | 0x7f13c000 | 0x7f13efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f13f000 | 0x7f13f000 | 0x7f13ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 322 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | 0.01 KB |
MD5:
c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1: 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 SHA256: b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db SSDeep: 3:D90aKb:JFKb |
|
|
| c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcookies\yu15ijzh.txt | 0.08 KB |
MD5:
a28c7218dd84b10bb3205f1c3581c8e5
SHA1: e4c81e43000be8b7a6f5c0f246515757dd2c8a63 SHA256: edd1bb7f3edb4b7e9caeff444d08f1be891301c42c17db12c59f6dfad6694899 SSDeep: 3:4DoHOqZXAQtVddvHUVIXEYBlDNcS/n:4DoHOYXAsd5UVIXEYjp |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\4FEH6KN1\roboto[1].css | 0.98 KB |
MD5:
f5f5b5e4955262430e7b496247425d2d
SHA1: d4bea186a0d525ce3060e8dd7901311ae4a0735a SHA256: 2537efe2fb974f58cddbc99abfcd7aed6e9df81992eed3e528b5f1748167b8fa SSDeep: 24:3lRBb/SITwAKHXzwAKHtVXAKHOjYmk/1wAKJFzwAKJXVXAKJAjYmk/KwAKEzwAKp:VFujutVfOjroSoVejrBvpV5jr4 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\2A6ZZPUM\open-sans[1].css | 1.36 KB |
MD5:
9ed298542b45ef98492e159f68e89f48
SHA1: c4521d9a5dff8a71804c40a909378e8eb5bd66c2 SHA256: b9bd51ae6ccc7df20417e0ef341295b86bf8f74f6e235ee99ddefd675806f47f SSDeep: 24:3lRBbTwOJ5zwOJbVXOJkjYmkdwkzw6VXxjYmkQwDzw5VX6jYmkiwUpMzwUpCVXU8:V7NjNtV+OjrApXVhjrVGsVKjrLMWV0jk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\ORB8WXFK\normalize.min[1].css | 1.81 KB |
MD5:
e8908cf9cb9504b285327d240187f53b
SHA1: 20eadf1695eb38bcd92d1706de5335db61b96502 SHA256: 86235e2c477078adfe1188d07ca1e5d8198443aaf2436de1785a169f3e1d5463 SSDeep: 24:tiHfvKTPJRje+f/QK0415kl+1w303lrVLXRubKTJ95/t7zOGV8y/rCYt1TQ/ZeY0:Q0Km2lR0Ht95/dbrviZeY0 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\ORB8WXFK\style[1].css | 13.86 KB |
MD5:
af178302fa14777df4bfb6ea17cc9a90
SHA1: 58944ecc93d5f21f718f40dfdb07817a734b6862 SHA256: ed3ed9b121572e294614872365c7afa869fd7f30f68f43c80eaf46253ad90d07 SSDeep: 192:XSLA8Ihlx19stdPF7eD4DepLqoJ+VEs0no4IVS:RvvxxkWvW4MS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\2A6ZZPUM\custom-control[1].css | 10.90 KB |
MD5:
a4abf0bb03d5f5e78b03a07ad395b44b
SHA1: db95841a366f3f41141ddf6e63f02a2bff8ac059 SHA256: f16936215c5068a55ffc87342283362bacdd16488c5d4baeee929af867d263b2 SSDeep: 192:fL8UEQ6UEPFaF/FIFUwyivZH5yFo8FMY+BRMYJBSMYzBDMY4BWMYWBfYMYOB1hZQ:f6FaF/FIFzU2lpRPAVvvmDR0YJZD2xzh |
|
|
| c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\4feh6kn1\drp[1].js | 2.43 MB |
MD5:
6880874b45f6c23ca3923b955849d497
SHA1: 00bfbd31ece11a7dbed38f91835ba7dcb690a251 SHA256: d00dd9d99e235c0c794c8cb3be09ac49cc231f6b37a7337c1fbad21936ec58c3 SSDeep: 49152:ihMKDNTJhd5YRt2yEEWzUsNsBvFrKO5sEGJOljSY3qEJSq5JKOXk7GR3IzwNmQlz:v |
|
|
| c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\2a6zzpum\config[1].js | 3.01 KB |
MD5:
37c385788870c6e11591506724f66ec2
SHA1: be4cc3805c6c3b49ad1671083aed7314e9e90034 SHA256: 84451ad70b2f4cb73f174e5e56c2092d819624ef50f5c7bae43434dc0aa19017 SSDeep: 48:113cTEvEvDanYlbd5E6E3MFk+jUIzu4UI0cUIFr7sbZvYAmXR:oEvEv+nYFde6E3bZhr/IFr78ZvYB |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | 47.97 KB |
MD5:
50ce1186d7fec46e053e5bf12e9110c2
SHA1: 09dbf42e45e38364a05510e0c4b0635c9de945ec SHA256: a9679438980b16ecbc8c20c99e5ec887b6d48fdd274ec1cb69889723e2476eda SSDeep: 6:TPau3km9Yo/Saoda3fsnNbcy2HFCsXuSsclGXl4frOJXe0jMBKhihU+:mu0m9Yo6aodhnleDXuSzkl4jOJXer |
|
|
| c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\orb8wxfk\opensans-regular-webfont[1].eot | 40.48 KB |
MD5:
88a9c629f26f8563a72eac95cb0744bc
SHA1: 484bca13532678133dc14a668c580be2c1346526 SHA256: 3ae576bfa96d7cf6614c8c97290c7abe03191a8ceb0c837a21e7ffe70d66ca62 SSDeep: 768:hpfe+ESzTyBcQfZHded8/IGngtqPeOMBxe9tMxfuNrDVZ57qEOmLxodqnglqebz6:h9VFzTyBcced8/IGKBBxebM2DVzqEOAh |
|
|
| c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\orb8wxfk\proxima_nova_light-webfont[1].eot | 61.56 KB |
MD5:
ee9163c34f600221169f8ff531e97182
SHA1: 57f0b2c837c94f2a0df47ee62b4639fd6426bfa0 SHA256: 53f30a622db68cebe92dbd384cc292aef13ad7e3349a10a77c29326e10634c21 SSDeep: 768:bC60ICsNjaND3ryh+u23ocpjGu2a5TvSHyK6QjCiBQryT3Eg+TIhk//eFQz3e:gduh+JxjT2TSK6Qj5QuT3E4k//0Qi |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\GY9R3U9A\icons-checkbox[1].css | 0.43 KB |
MD5:
3be98220035017d9b818f3cc94f87587
SHA1: bc07f11d0a59f942ac942dba02214a7041ad6e3a SHA256: cb134dcb95a407795c671a512c389894d3525fba3f6a2168fc5b9b7e875e78dc SSDeep: 12:jFjmDiDdhmDi5zJmcDiHvYcDitE9cDiDHO6Zm4:5jwiDzwi5VXipi6QiDHOYm4 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\GY9R3U9A\proximanova[1].css | 1.67 KB |
MD5:
cf0c65f6d17307ccd7914e984ac86a6f
SHA1: 4fcef85545731123eb5e3e1886817f8014f22e21 SHA256: 58a658fd04bb4aa2ff90ff7125ca6e1775b1a9d053e2cfa44b8697990f9f134e SSDeep: 24:3lRMmwd+Fzwd+XVXd+Ld+AQd+hOYmkETwdYzwdOVXdedVQdwOYmk5WxdAMlsxdAO:VxxvVAZOrbBfVopOr7SxV0ov |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\2A6ZZPUM\drp[1].css | 95.34 KB |
MD5:
2ef7eaaf19c1282c4766847b548c2f79
SHA1: 8055914b7abf5d1ec5ce66f8f4dbf398d935eee8 SHA256: ea6ac7588e6fcae24105fa6900c3e873919b0693d6f94679fc14625dee27c3f7 SSDeep: 1536:P2dO9LUlEUtOCBZRgvWRmcms4zX5ak4dwBhQvx2aSQaeQ271uLpOam1Eb8hiuFuG:OdO9pCuQL4FaGoUpi/gmye |
|
|
| c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat | 0.12 KB |
MD5:
0fc07622856a4f02ec32f3b8cdc7d79a
SHA1: 69227fbe52d3fbfa3af508fee363698fd2a3613c SHA256: 0ac6eba5d515f5a55c7d5bd712cb191aac9bbef780cac77f3a69e357d8c3d746 SSDeep: 3:/lV/l3l:d |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\GY9R3U9A\icons[1].css | 0.50 KB |
MD5:
ebae852f3327fdaf3e2fc2bf1cdecb8f
SHA1: f9753fe176069974fc9bce49eae877745282e183 SHA256: b5f111103f7f090c246a223b1ff497b94c4dd3ac64bf5b3fb2d91555fcfd6f2c SSDeep: 12:jFCmDnkdhmDn6zJmcD8YcDx9cDsO6ZmEHi:5Cwkzw6VXSxQsOYmEC |
|
|
Host Behavior
COM (37)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 50D5107A-D278-4871-8989-F4CEAAF59CFC | 08C0E040-62D1-11D1-9326-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Create | 54E211B6-3650-4F75-8334-FA359598E1C5 | FBF5D3B4-70C7-4163-9322-5A6F660D6FBC | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 79DEA627-A08A-43AC-8EF5-6900B9299126 | 537A0825-0387-4EFA-B62F-71EB1F085A7E | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 16D51579-A30B-4C8B-A276-0FF4DC41E755 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 317D06E8-5F24-433D-BDF7-79CE68D8ABC2 | EC5EC8A9-C395-4314-9C77-54D7A935FF70 | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | 842A1268-6E6A-465C-868F-8BC445B9828F | 8F88FD19-5D42-477B-BD45-F6A4A977ED05 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER |
|
1 | |
| Create | Shell.Application | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER |
|
4 | |
| Create | 529A9E6B-6587-4F23-AB9E-9C7D683E3C50 | AA80E801-2021-11D2-93E0-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 33C53A50-F456-4884-B049-85FD643ECFED | 1F02B6C5-7842-4EE6-8A0B-9A24183A95CA | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD | E66A412D-14B3-425C-82AC-5B7716CCA5A7 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER |
|
6 | |
| Create | WinHttp.WinHttpRequest.5.1 | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER |
|
1 | |
| Create | 76A64158-CB41-11D1-8B02-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER |
|
2 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER |
|
2 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
8 | |
| Create | 9AED384E-CE8B-11D1-8B05-00600806D9B6 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER |
|
1 | |
| Execute | WinHttp.WinHttpRequest.5.1 | IDispatch | method_name = Open |
|
1 |
File (44)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\Tools\drp.css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\ORB8WXFK\normalize.min[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\2A6ZZPUM\open-sans[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\4FEH6KN1\roboto[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\GY9R3U9A\proximanova[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\GY9R3U9A\icons-checkbox[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\GY9R3U9A\icons[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\ORB8WXFK\style[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\2A6ZZPUM\custom-control[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCache\IE\2A6ZZPUM\drp[1].css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
9 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | type = size |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | type = time |
|
1 | |
| Open Stream | - | - |
|
6 | |
| Open Mapping | #MSHTML#PERF#00000D18 | desired_access = FILE_MAP_WRITE |
|
1 | |
| Open Mapping | Local\MSIMGSIZECacheMap | desired_access = FILE_MAP_ALL_ACCESS |
|
1 |
Registry (244)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\drpsu | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\drpsu | - |
|
2 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\drpsu | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
4 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
6 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
4 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
4 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
4 | |
| Open Key | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ChakraRecycler | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ChakraRecycler | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\JScriptLegacy | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\JScriptLegacy | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\drpsu | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Control Panel\International | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\EUDC\1252 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\drpsu | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\drpsu | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\drpsu | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\drpsu | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\drpsu | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\drpsu | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Control Panel\International | - |
|
3 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\InProcServer32 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\mozilla.org\Mozilla | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | data = C:\Windows\SysWOW64\mshtml.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE | value_name = Path, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Application Compatibility | value_name = mshta.exe, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 6.3, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\International | value_name = Locale, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\International | value_name = Locale, data = 00000409, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer | value_name = svcVersion, data = 0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer | value_name = svcVersion, data = 11.0.10240.16384, type = REG_SZ |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics | value_name = AppliedDPI, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics | value_name = AppliedDPI, data = 96, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\drpsu | value_name = picoID, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\drpsu | value_name = picoID, data = 15415901880860.5777937487461258, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\drpsu | value_name = session, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\drpsu | value_name = clientId, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\drpsu | value_name = computerId, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\drpsu | value_name = computerId, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\drpsu | value_name = lang, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\International | value_name = LocaleName, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\International | value_name = LocaleName, data = en-US, type = REG_SZ |
|
3 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\mozilla.org\Mozilla | value_name = CurrentVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\mozilla.org\Mozilla | value_name = CurrentVersion, data = 53.0.3, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\drpsu | value_name = picoID, data = 15415901880860.5777937487461258, size = 32, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational | size = 1, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\drpsu | value_name = clientId, data = 005534500.4992489108, size = 21, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\drpsu | value_name = clientId, data = 005534500.4992489108, size = 21, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\drpsu | value_name = computerId, data = 664803382.1976196723, size = 21, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\drpsu | value_name = computerId, data = 664803382.1976196723, size = 21, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
2 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
2 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
6 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | value_name = 1406, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 |
Module (161)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | WLDP.DLL | base_address = 0x73940000 |
|
1 | |
| Load | C:\Windows\SysWOW64\mshtml.dll | base_address = 0x71e20000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | api-ms-win-downlevel-ole32-l1-1-0.dll | base_address = 0x76e40000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x74090000 |
|
2 | |
| Load | ole32.dll | base_address = 0x768b0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77290000 |
|
1 | |
| Load | UxTheme.dll | base_address = 0x74c20000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x749f0000 |
|
1 | |
| Load | api-ms-win-rtcore-ntuser-wmpointer-l1-1-0.dll | base_address = 0x77150000 |
|
1 | |
| Load | ninput.dll | base_address = 0x71cc0000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x76c90000 |
|
1 | |
| Load | api-ms-win-downlevel-shlwapi-l2-1-0.dll | base_address = 0x77340000 |
|
1 | |
| Load | ext-ms-win-ntuser-touch-hittest-l1-1-0.dll | base_address = 0x77150000 |
|
1 | |
| Load | d2d1.dll | base_address = 0x714d0000 |
|
1 | |
| Load | DWrite.dll | base_address = 0x712c0000 |
|
1 | |
| Load | dxgi.dll | base_address = 0x71230000 |
|
1 | |
| Load | d3d11.dll | base_address = 0x70de0000 |
|
1 | |
| Load | mshtml.dll | base_address = 0x71e20000 |
|
2 | |
| Load | OLEACC.DLL | base_address = 0x70aa0000 |
|
1 | |
| Load | WININET.dll | base_address = 0x706d0000 |
|
2 | |
| Load | SHELL32.dll | base_address = 0x75430000 |
|
1 | |
| Load | jscript9.dll | base_address = 0x70350000 |
|
1 | |
| Load | T2EMBED.DLL | base_address = 0x6f4e0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75430000 |
|
2 | |
| Load | ImgUtil.dll | base_address = 0x714c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\mshta.exe | base_address = 0xe20000 |
|
3 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
5 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77150000 |
|
2 | |
| Get Handle | c:\windows\syswow64\mshtml.dll | base_address = 0x71e20000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\mshtml.dll | base_address = 0x71e20000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\mshtml.dll | base_address = 0x71e20000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\mshtml.dll | base_address = 0x71e20000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\mshtml.dll | base_address = 0x71e20000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x74e70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\mshtml.dll | base_address = 0x71e20000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\mshtml.dll | base_address = 0x71e20000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | C:\Windows\SYSTEM32\jscript9.dll | base_address = 0x70350000 |
|
1 | |
| Get Handle | C:\Windows\SYSTEM32\jscript9.dll | base_address = 0x70350000 |
|
1 | |
| Get Handle | c:\windows\syswow64\mshtml.dll | base_address = 0x71e20000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshta.exe, size = 260 |
|
2 | |
| Get Filename | c:\windows\syswow64\mshta.exe | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshta.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\SYSTEM32\jscript9.dll, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSetInformation, address_out = 0x7527a200 |
|
3 | |
| Get Address | c:\windows\syswow64\wldp.dll | function = WldpGetLockdownPolicy, address_out = 0x73941de0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetDeviceFamilyInfoEnum, address_out = 0x77cffa70 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | address_out = 0x77d00a90 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoCreateGuid, address_out = 0x76e89f30 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | address_out = 0x740f0190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x75282250 |
|
1 | |
| Get Address | c:\windows\syswow64\mshtml.dll | function = RunHTMLApplication, address_out = 0x729a35a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = OleInitialize, address_out = 0x768d9c50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathRemoveArgsW, address_out = 0x772a7c60 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CreateURLMonikerEx, address_out = 0x740dae80 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoCreateInstance, address_out = 0x76ee8200 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoIncrementMTAUsage, address_out = 0x76f15780 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCoalescableTimer, address_out = 0x77184eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\uxtheme.dll | address_out = 0x74c54ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetCreateSecurityManager, address_out = 0x740cd420 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 520, address_out = 0x740cb670 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 444, address_out = 0x740bb960 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 521, address_out = 0x740cbec0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnableMouseInPointer, address_out = 0x77188450 |
|
1 | |
| Get Address | c:\windows\syswow64\ninput.dll | function = CreateInteractionContext, address_out = 0x71ccca10 |
|
1 | |
| Get Address | c:\windows\syswow64\ninput.dll | function = RegisterOutputCallbackInteractionContext, address_out = 0x71ccd6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ninput.dll | function = SetInteractionConfigurationInteractionContext, address_out = 0x71cc8cf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ninput.dll | function = SetPropertyInteractionContext, address_out = 0x71ccccb0 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoTaskMemAlloc, address_out = 0x76ecd200 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 9, address_out = 0x76ca92e0 |
|
1 | |
| Get Address | c:\windows\syswow64\shcore.dll | function = IUnknown_QueryService, address_out = 0x7737bc30 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = 29, address_out = 0x772ac630 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoTaskMemFree, address_out = 0x76eccf40 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 6, address_out = 0x76ca9230 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 7, address_out = 0x76cb3640 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 519, address_out = 0x740cbac0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 485, address_out = 0x740babc0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetGetSession, address_out = 0x740b4a00 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 471, address_out = 0x740b34c0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetParseIUri, address_out = 0x740eff80 |
|
1 | |
| Get Address | c:\windows\syswow64\shcore.dll | function = SHStrDupW, address_out = 0x77375590 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetIsFeatureEnabledForUrl, address_out = 0x740b2290 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = ReleaseBindInfo, address_out = 0x740b03b0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = FindMimeFromData, address_out = 0x740ef4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 551, address_out = 0x740b70b0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 446, address_out = 0x740be7f0 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoWaitForMultipleHandles, address_out = 0x76f0aeb0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterTouchHitTestingWindow, address_out = 0x77188da0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowFeedbackSetting, address_out = 0x77189120 |
|
1 | |
| Get Address | c:\windows\syswow64\d2d1.dll | function = 1, address_out = 0x717bee70 |
|
1 | |
| Get Address | c:\windows\syswow64\dwrite.dll | function = DWriteCreateFactory, address_out = 0x7135eda0 |
|
1 | |
| Get Address | c:\windows\syswow64\dxgi.dll | function = CreateDXGIFactory1, address_out = 0x7123df70 |
|
1 | |
| Get Address | c:\windows\syswow64\d3d11.dll | function = D3D11CreateDevice, address_out = 0x70e506f0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 8, address_out = 0x76ca3220 |
|
1 | |
| Get Address | c:\windows\syswow64\dxgi.dll | function = CreateDXGIFactory, address_out = 0x7123da80 |
|
1 | |
| Get Address | Unknown module name | function = LresultFromObject, address_out = 0x70ab74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = RegisterDragDrop, address_out = 0x768d92a0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetCombineUrlEx, address_out = 0x740efac0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetParseUrl, address_out = 0x740d5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 4, address_out = 0x76ca91a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 147, address_out = 0x76ca7e70 |
|
1 | |
| Get Address | Unknown module name | function = InternetTimeToSystemTimeW, address_out = 0x7071d2a0 |
|
1 | |
| Get Address | Unknown module name | function = SetUrlCacheEntryInfoA, address_out = 0x707a1be0 |
|
1 | |
| Get Address | Unknown module name | function = InternetGetConnectedState, address_out = 0x70724970 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetCombineIUri, address_out = 0x740d9ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x74f24e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x74fa0770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74f39ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetCombineUrl, address_out = 0x740da740 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ExtractIconW, address_out = 0x755d09f0 |
|
1 | |
| Get Address | Unknown module name | function = JsVarRelease, address_out = 0x704a64f0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetIsFeatureEnabledForIUri, address_out = 0x740f0050 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = PropVariantClear, address_out = 0x76ec6f30 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetQueryInfo, address_out = 0x740d5eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = RoGetActivationFactory, address_out = 0x76ee0f30 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CoInternetCanonicalizeIUri, address_out = 0x740b3dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 495, address_out = 0x740b4d90 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = 414, address_out = 0x740b7f00 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = CreateURLMonikerEx2, address_out = 0x740b3640 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = RegisterBindStatusCallback, address_out = 0x740ebab0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = IsAsyncMoniker, address_out = 0x740b3b70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 27, address_out = 0x76ca3e60 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 16, address_out = 0x76caabb0 |
|
1 | |
| Get Address | Unknown module name | function = HttpDuplicateDependencyHandle, address_out = 0x70799be0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = GetIDNFlagsForUri, address_out = 0x740fc9f0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = RevokeBindStatusCallback, address_out = 0x740ebdb0 |
|
1 | |
| Get Address | Unknown module name | function = TTLoadEmbeddedFont, address_out = 0x6f4e2e20 |
|
1 | |
| Get Address | Unknown module name | function = TTDeleteEmbeddedFont, address_out = 0x6f4e31d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetPathFromIDListW, address_out = 0x755744a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x755c4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CreateBindCtx, address_out = 0x768de170 |
|
1 | |
| Get Address | Unknown module name | function = UrlCacheUpdateEntryExtraData, address_out = 0x7078e980 |
|
1 | |
| Get Address | Unknown module name | function = IdentifyMIMEType, address_out = 0x714c2290 |
|
1 | |
| Get Address | Unknown module name | function = CommitUrlCacheEntryW, address_out = 0x7078e3a0 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = GetClassFileOrMime, address_out = 0x740ba130 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoGetTreatAsClass, address_out = 0x76ef1ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = StringFromGUID2, address_out = 0x76ef0600 |
|
1 | |
| Get Address | c:\windows\syswow64\shcore.dll | function = SHRegGetValueW, address_out = 0x77375bb0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 149, address_out = 0x76cb4600 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, SEC_COMMIT, maximum_size = 40 |
|
1 | |
| Create Mapping | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT, protection = PAGE_READWRITE, maximum_size = 0 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, SEC_COMMIT, maximum_size = 1048576 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 | |
| Map | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 |
Window (17)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 1929275944 |
|
1 | |
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 1929275944 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 103088128 |
|
1 | |
| Create | HitTestManager | class_name = HitTestWorker, wndproc_parameter = 1929277288 |
|
1 | |
| Create | HitTestWindow | class_name = HitTestWorker, wndproc_parameter = 1929277288 |
|
1 | |
| Create | - | wndproc_parameter = 4975920 |
|
1 | |
| Create | - | class_name = WorkerW, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| Set Attribute | - | index = 18446744073709551595, new_long = 103088128 |
|
1 | |
| Set Attribute | HitTestManager | class_name = HitTestWorker, index = 18446744073709551595, new_long = 1929277288 |
|
1 | |
| Set Attribute | HitTestWindow | class_name = HitTestWorker, index = 18446744073709551595, new_long = 1929277288 |
|
1 | |
| Set Attribute | - | index = 18446744073709551595, new_long = 4975920 |
|
1 | |
| Set Attribute | - | class_name = WorkerW, index = 0, new_long = 5286208 |
|
1 | |
| Set Attribute | - | class_name = WorkerW, index = 18446744073709551612, new_long = 1915230656 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 0 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 |
Keyboard (81)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Get Info | type = KB_LOCALE_ID_NAME, result_out = 00000409 |
|
1 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_MENU, result_out = 0 |
|
19 |
System (358)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 429, y_out = 272 |
|
8 | |
| Get Cursor | x_out = 97, y_out = 381 |
|
12 | |
| Get Cursor | x_out = 16, y_out = 400 |
|
3 | |
| Get Cursor | x_out = 986, y_out = 599 |
|
1 | |
| Get Cursor | x_out = 121, y_out = 449 |
|
3 | |
| Get Cursor | x_out = 1276, y_out = 791 |
|
3 | |
| Get Cursor | x_out = 569, y_out = 166 |
|
4 | |
| Get Cursor | x_out = 211, y_out = 446 |
|
5 | |
| Get Cursor | x_out = 83, y_out = 683 |
|
8 | |
| Get Cursor | x_out = 650, y_out = 825 |
|
6 | |
| Get Cursor | x_out = 1292, y_out = 745 |
|
7 | |
| Get Cursor | x_out = 1059, y_out = 437 |
|
8 | |
| Get Cursor | x_out = 1283, y_out = 580 |
|
8 | |
| Get Cursor | x_out = 943, y_out = 473 |
|
11 | |
| Get Cursor | x_out = 461, y_out = 174 |
|
12 | |
| Get Cursor | x_out = 1421, y_out = 545 |
|
15 | |
| Sleep | duration = -1 (infinite) |
|
9 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
4 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 156890 |
|
2 | |
| Get Time | type = Ticks, time = 159484 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:34 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 162296 |
|
1 | |
| Get Time | type = Ticks, time = 166359 |
|
2 | |
| Get Time | type = Ticks, time = 168046 |
|
1 | |
| Get Time | type = Ticks, time = 168296 |
|
1 | |
| Get Time | type = Ticks, time = 171125 |
|
2 | |
| Get Time | type = Ticks, time = 171171 |
|
1 | |
| Get Time | type = Ticks, time = 172718 |
|
2 | |
| Get Time | type = Ticks, time = 172890 |
|
2 | |
| Get Time | type = Ticks, time = 172968 |
|
1 | |
| Get Time | type = Ticks, time = 173015 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:45 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 173031 |
|
1 | |
| Get Time | type = Ticks, time = 173406 |
|
2 | |
| Get Time | type = Ticks, time = 173687 |
|
2 | |
| Get Time | type = Ticks, time = 173718 |
|
8 | |
| Get Time | type = Ticks, time = 173734 |
|
15 | |
| Get Time | type = Ticks, time = 173750 |
|
15 | |
| Get Time | type = Ticks, time = 173765 |
|
17 | |
| Get Time | type = Ticks, time = 173781 |
|
16 | |
| Get Time | type = Ticks, time = 173796 |
|
1 | |
| Get Time | type = Ticks, time = 173937 |
|
6 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:46 (UTC) |
|
3 | |
| Get Time | type = Ticks, time = 174000 |
|
2 | |
| Get Time | type = Ticks, time = 174015 |
|
2 | |
| Get Time | type = Ticks, time = 174781 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:48 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 177781 |
|
1 | |
| Get Time | type = Ticks, time = 178406 |
|
5 | |
| Get Time | type = Ticks, time = 178421 |
|
1 | |
| Get Time | type = Ticks, time = 179421 |
|
18 | |
| Get Time | type = Ticks, time = 179578 |
|
3 | |
| Get Time | type = Ticks, time = 179593 |
|
2 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 179906 |
|
1 | |
| Get Time | type = Ticks, time = 180015 |
|
1 | |
| Get Time | type = Ticks, time = 180062 |
|
1 | |
| Get Time | type = Ticks, time = 180078 |
|
2 | |
| Get Time | type = Ticks, time = 180156 |
|
1 | |
| Get Time | type = Ticks, time = 180609 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:29:54 (UTC) |
|
3 | |
| Get Time | type = Ticks, time = 185359 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:30:00 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 187203 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:30:05 (UTC) |
|
5 | |
| Get Time | type = Ticks, time = 193171 |
|
18 | |
| Get Time | type = Ticks, time = 193218 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:30:06 (UTC) |
|
2 | |
| Get Time | type = System Time, time = 2018-11-07 11:30:29 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:30:32 (UTC) |
|
17 | |
| Get Time | type = System Time, time = 2018-11-07 11:30:33 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 221593 |
|
2 | |
| Get Time | type = Ticks, time = 231375 |
|
2 | |
| Get Time | type = Ticks, time = 231390 |
|
3 | |
| Get Time | type = Ticks, time = 231453 |
|
2 | |
| Get Time | type = Ticks, time = 231484 |
|
2 | |
| Get Time | type = Ticks, time = 231515 |
|
2 | |
| Get Time | type = Ticks, time = 231546 |
|
2 | |
| Get Time | type = Ticks, time = 231562 |
|
2 | |
| Get Time | type = Ticks, time = 233968 |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
2 |
Mutex (14)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Local\MSIMGSIZECacheMutex |
|
1 | |
| Release | mutex_name = Local\MSIMGSIZECacheMutex |
|
1 | |
| Release | - |
|
12 |
Environment (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_DEBUG_SCOPE |
|
2 | |
| Get Environment String | name = JS_PROFILER |
|
1 | |
| Get Environment String | name = VERTYPE |
|
1 | |
| Set Environment String | name = SEE_MASK_NOZONECHECKS, value = 1 |
|
1 |
Ini (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 |
Debug (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\windows\syswow64\mshta.exe | - |
|
3 |
Network Behavior
URL (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Query Info | url = file:///C:/Users/CIIHMN~1/AppData/Local/Temp/7ZipSfx.000/bin/Tools/run.hta, query_options = QUERY_RECOMBINE |
|
1 | |
| Query Info | url = http://update.drp.su/beetle/17.7.119/DriverPackSolution.html, query_options = QUERY_CAN_NAVIGATE |
|
1 | |
| Query Info | url = http://update.drp.su/beetle/17.7.119/css/style.css, query_options = QUERY_RECOMBINE |
|
1 |
Inet (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Check for internet connection | - |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 320 bytes |
| Total Data Received | 5.00 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | update.drp.su |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | update.drp.su |
| Server Port | 80 |
| Data Sent | 320 |
| Data Received | 5119 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = update.drp.su, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /v2/ |
|
1 | |
| Send HTTP Request | url = http://update.drp.su/v2/ |
|
1 | |
| Receive HTTP Status | status = 200 |
|
1 | |
| Read Response | size_out = 5119, data = var UPDATE_CONFIG = { "HOST": "http://update.drp.su", "ONLINE_17_URL": "/beetle/17.7.119/", "MIGRATIONS_URL": "/v2/", "EXPERIMENTS": [], "MIGRATIONS_CONTENT": { "17.7.36": { "filename": "patch.reg", "content": [ "Windows Registry Editor Version 5.00\r", "\r", "; --------------------------------------------------\r", "; - ZoneMap patching -\r", "; --------------------------------------------------\r", "\r", "; production\r", "\r", "[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\drp.su\\update]\r", "\"http\"=dword:00000001\r", "\"https\"=dword:00000001\r", "\r", "\r", ";Disables offline mode\r", "[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings]\r", "\"GlobalUserOffline\"=dword:00000000\r", "\r", "; --------------------------------------------------\r", "; - Fix for long running scripts -\r", "; --------------------------------------------------\r", "\r", "[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Styles]\r", "\"MaxScriptStatements\"=dword:ffffffff\r", "\r", "[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Styles]\r", "\"MaxScriptStatements\"=dword:ffffffff\r", "\r", "; --------------------------------------------------\r", "; - Internet Explorer settings -\r", "; --------------------------------------------------\r", "\r", "; GPU rendering enabled\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING]\r", "\"mshta.exe\"=dword:00000001\r", "\r", "; Touch Screen enabled\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE]\r", "\"mshta.exe\"=dword:00000000\r", "\r", "; Suppress dialog boxes for SSL errors\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_SSLUX]\r", "\"mshta.exe\"=dword:00000001\r", "\r", "; IE Add-ons disabled\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ADDON_MANAGEMENT]\r", "\"mshta.exe\"=dword:00000000\r", "\r", "; Windows Registry Editor Version 5.00\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_BROWSER_EMULATION]\r", "\"mshta.exe\"=dword:0000270f\r", "\r", "; Enable the native XMLHttpRequest object\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_XMLHTTP]\r", "\"mshta.exe\"=dword:00000001\r", "\r", "; Allows script to create and use WebSocket objects\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBSOCKET]\r", "\"mshta.exe\"=dword:00000001\r", "\r", "; FEATURE_AJAX_CONNECTIONEVENTS\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS]\r", "\"mshta.exe\"=dword:00000001\r", "\r", "; Enables the XDomainRequest object, which represents a cross-domain Asynchronous JavaScript and XML (AJAX) request\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_XDOMAINREQUEST]\r", "\"mshta.exe\"=dword:00000001\r", "\r", "; Disabling Local Machine Zone Lockdown an other blocking\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN]\r", "\"mshta.exe\"=dword:00000000\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_LMZ_OBJECT]\r", "\"mshta.exe\"=dword:00000000\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_LMZ_SCRIPT]\r", "\"mshta.exe\"=dword:00000000\r", "\r", "; Disallow security band (still retains security)\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_SECURITYBAND]\r", "\"mshta.exe\"=dword:00000000\r", "\r", "\r", "; FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]\r", "\"mshta.exe\"=dword:00000000\r", "\r", "; ActiveX Update Restriction\r", "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_RESTRICT_ACTIVEXINSTALL]\r", "\"mshta.exe\"=dword:00000000\r", "\r", "\r" |
|
1 |
Process #18: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\sc.exe |
| Command Line | C:\Windows\system32\sc.exe start wuauserv |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Self Terminated |
| Monitor Duration | 00:00:40 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x378 |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
304
0x
C68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ef8a0d0000 | 0xef8a0d0000 | 0xef8a0effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ef8a0d0000 | 0xef8a0d0000 | 0xef8a0dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ef8a0e0000 | 0xef8a0e0000 | 0xef8a0e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ef8a0f0000 | 0xef8a0f0000 | 0xef8a103fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ef8a110000 | 0xef8a110000 | 0xef8a18ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ef8a190000 | 0xef8a190000 | 0xef8a193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ef8a1a0000 | 0xef8a1a0000 | 0xef8a1a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ef8a1b0000 | 0xef8a1b0000 | 0xef8a1b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xef8a1c0000 | 0xef8a27dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ef8a280000 | 0xef8a280000 | 0xef8a2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ef8a300000 | 0xef8a300000 | 0xef8a306fff | Private Memory | rw |
|
|
|
- |
| sc.exe.mui | 0xef8a310000 | 0xef8a321fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ef8a3a0000 | 0xef8a3a0000 | 0xef8a49ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ef8a540000 | 0xef8a540000 | 0xef8a54ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff60000 | 0x7df5fff60000 | 0x7ff5fff5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d5b10000 | 0x7ff6d5b10000 | 0x7ff6d5c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d5c10000 | 0x7ff6d5c10000 | 0x7ff6d5c32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d5c3b000 | 0x7ff6d5c3b000 | 0x7ff6d5c3cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d5c3d000 | 0x7ff6d5c3d000 | 0x7ff6d5c3efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d5c3f000 | 0x7ff6d5c3f000 | 0x7ff6d5c3ffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x7ff6d6a20000 | 0x7ff6d6a35fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 425 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\sc.exe | base_address = 0x7ff6d6a20000 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = wuauserv |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Start | service_name = wuauserv |
|
1 |
Process #19: cmd.exe
62
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass "Get-Content 'C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt' -Wait | Invoke-Expression" > "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.stdout.log" 2> "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.stderr.log" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfe8 |
| Parent PID | 0xd18 (c:\windows\syswow64\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
984
0x
A90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00350000 | 0x0039ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x044effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x0450ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000044f0000 | 0x044f0000 | 0x044fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x04503fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x04514fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x04513fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004520000 | 0x04520000 | 0x04533fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x0457ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x0467ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004680000 | 0x04680000 | 0x04683fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004690000 | 0x04690000 | 0x04690fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x046a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x046b0000 | 0x0476dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x047affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x047effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0497ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04b70000 | 0x04ea6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed60000 | 0x7ed60000 | 0x7ee5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ee82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee85000 | 0x7ee85000 | 0x7ee85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee87000 | 0x7ee87000 | 0x7ee87fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8a000 | 0x7ee8a000 | 0x7ee8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8d000 | 0x7ee8d000 | 0x7ee8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (19)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.stdout.log | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.stderr.log | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
7 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
4 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xa84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x350000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #21: cmd.exe
75
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\run_command_92238.txt"" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:45, Reason: Self Terminated |
| Monitor Duration | 00:00:23 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x744 |
| Parent PID | 0xd18 (c:\windows\syswow64\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C4C
0x
A9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00350000 | 0x0039ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x047effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x0480ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047f0000 | 0x047f0000 | 0x047fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x04803fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x04814fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x04813fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004820000 | 0x04820000 | 0x04833fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x0487ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0497ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x04983fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004990000 | 0x04990000 | 0x04990fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x049fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04a00000 | 0x04abdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04eb0000 | 0x051e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e870000 | 0x7e870000 | 0x7e96ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e970000 | 0x7e970000 | 0x7e992fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e998000 | 0x7e998000 | 0x7e99afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99b000 | 0x7e99b000 | 0x7e99dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99e000 | 0x7e99e000 | 0x7e99efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99f000 | 0x7e99f000 | 0x7e99ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\run_command_92238.txt | 0.01 KB |
MD5:
02466847c63e90c5041b8dd7990dce27
SHA1: fdcf71f16e2efcb8815730b4cca5f580b185cf5c SHA256: 195418a93d769a17558aa804568eff487979e62d0731aa8c63d8d0ffc1723321 SSDeep: 3:6Uvn:6Uvn |
|
|
Host Behavior
File (25)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\run_command_92238.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
14 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\netsh.exe | os_pid = 0x9d4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x350000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (22)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = ^errorLevel |
|
1 | |
| Get Environment String | name = > "C |
|
1 | |
| Get Environment String | name = errorLevel |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #23: powershell.exe
2544
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass "Get-Content 'C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt' -Wait | Invoke-Expression" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa84 |
| Parent PID | 0xfe8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A78
0x
9E4
0x
868
0x
920
0x
C98
0x
C30
0x
BEC
0x
88C
0x
834
0x
FA4
0x
C38
0x
F6C
0x
EE8
0x
FA0
0x
F90
0x
D94
0x
C54
0x
F48
0x
EE0
0x
F64
0x
FB4
0x
E94
0x
F38
0x
FE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000290000 | 0x00290000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x0029ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b5fff | Private Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x002b0000 | 0x002b2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00370fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00381fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00390fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004c0000 | 0x0057dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00620fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.1.db | 0x00630000 | 0x00633fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00630000 | 0x00633fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00640000 | 0x00652fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x006b0000 | 0x006b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00857fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db | 0x00a30000 | 0x00a4bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aaffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x00c90000 | 0x00cd2fff | Memory Mapped File | r |
|
|
|
- |
| powershell.exe | 0x00ce0000 | 0x00d54fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x04d5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x0615ffff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x06160000 | 0x061eafff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000061f0000 | 0x061f0000 | 0x0622ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006230000 | 0x06230000 | 0x0626ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006270000 | 0x06270000 | 0x0627ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000006280000 | 0x06280000 | 0x0628ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000006290000 | 0x06290000 | 0x06290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000062a0000 | 0x062a0000 | 0x062a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000062b0000 | 0x062b0000 | 0x062effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000062f0000 | 0x062f0000 | 0x0632ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006330000 | 0x06330000 | 0x0633ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006340000 | 0x06340000 | 0x0634ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x06350000 | 0x06686fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006690000 | 0x06690000 | 0x066affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000066b0000 | 0x066b0000 | 0x066effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000066f0000 | 0x066f0000 | 0x0672ffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x06730000 | 0x06734fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x06740000 | 0x0674ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006750000 | 0x06750000 | 0x0675ffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x06760000 | 0x067c1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000067d0000 | 0x067d0000 | 0x067dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000067e0000 | 0x067e0000 | 0x067effff | Private Memory | - |
|
|
|
- |
| private_0x00000000067f0000 | 0x067f0000 | 0x067fffff | Private Memory | rw |
|
|
|
- |
| system.numerics.dll | 0x06800000 | 0x06821fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000006830000 | 0x06830000 | 0x0683ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000006840000 | 0x06840000 | 0x0684ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000006850000 | 0x06850000 | 0x0685ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000006860000 | 0x06860000 | 0x0686ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000006870000 | 0x06870000 | 0x0687ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000006880000 | 0x06880000 | 0x0688ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000006950000 | 0x06950000 | 0x0695ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000006960000 | 0x06960000 | 0x0895ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008960000 | 0x08960000 | 0x08a5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x6a5f0000 | 0x6bddefff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x6bde0000 | 0x6c4f2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x6c5e0000 | 0x6cf8cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x6cf90000 | 0x6e1bafff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x6e200000 | 0x6e8a7fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x6ee20000 | 0x6ef14fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x6efd0000 | 0x6f047fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x6f080000 | 0x6f08efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x6f090000 | 0x6f0abfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x6f0c0000 | 0x6f13cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x6f140000 | 0x6f206fff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x6f270000 | 0x6f2c0fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x6f3f0000 | 0x6f47afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x6f480000 | 0x6f4d8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x70b30000 | 0x70b57fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x710d0000 | 0x710e7fff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x714b0000 | 0x714bafff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74470000 | 0x745b1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x773d0000 | 0x773d5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f2f1000 | 0x7f2f1000 | 0x7f2f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2f4000 | 0x7f2f4000 | 0x7f2f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2f7000 | 0x7f2f7000 | 0x7f2f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2fa000 | 0x7f2fa000 | 0x7f2fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2fd000 | 0x7f2fd000 | 0x7f2fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f300000 | 0x7f300000 | 0x7f3fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f400000 | 0x7f400000 | 0x7f422fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f424000 | 0x7f424000 | 0x7f424fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f425000 | 0x7f425000 | 0x7f425fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f427000 | 0x7f427000 | 0x7f429fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f42a000 | 0x7f42a000 | 0x7f42cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f42d000 | 0x7f42d000 | 0x7f42ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 137 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DOMStore\37JGORX3\update.drp[1].xml | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.0.cs | 0.48 KB |
MD5:
91758722dc7e495caa693882723676a2
SHA1: 7dc3b526c084605a82acf57f3f1884795b67a7b8 SHA256: afaee024b1d79b00a1db67cb4f03bc2dad739022fb6030d0c81cbc00a6e1acb1 SSDeep: 12:V/DTLDfuUYoREepHLlFTeOREyb3w065j06dzzcPPQy:JjmRIEeNLlFTlEOCu6ZTy |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.out | 0.47 KB |
MD5:
6f47ebb121b26bae1e18d59d4f782f59
SHA1: 84bba0935d77c6573f3536864747c1928f6f0736 SHA256: b004a08b2f9bfc43bdc24ba620588ebd058b0954b492a8b1b9fb5e2aee79d4fa SSDeep: 12:KtZOnIMqR37Lvkmb6KlZOI0WZEmZOqLGA+:Kt8nIMqd3ka6Kl82Em8wGA+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\s3u0ysf4.nb4.ps1 | 0.00 KB |
MD5:
c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b SSDeep: 3:U:U |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.cmdline | 0.36 KB |
MD5:
fa690fb256c4c62da5186e7fccfc1bf3
SHA1: db79b52e6f021168b06203282b6afab7f78df905 SHA256: 7d77a7833aaf9d571c29c42383778207f5dfb63f2f7095e122f57b5e23e18e15 SSDeep: 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2zoc6/23fmx0zxs7+AEszIzoc6/23fmVLGWHn:p37Lvkmb6KlZOI0WZEmZOqLGAn |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 1.88 KB |
MD5:
e8209c1727d6a53ffe477e661b4cb961
SHA1: 52e71836c94daada7ed3bf34259a0455d20721e7 SHA256: a5bc70c81792dca3223001c408194d186fd3907f3e77a2284efbbfff2ef2e48f SSDeep: 48:yHSdSM7gCqNOX7gTHFl2dWBzyzDZBzyzOdIDEBXpBM/:yil7gCjX7gTll2dWBzyzDZBzyzOdIDEq |
|
|
Host Behavior
File (983)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\s3u0ysf4.nb4.ps1 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\jhygy0la.x1g.psm1 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\PackageManagement.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85525a38-be22-4966-b0fc-b808e4124a0f | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1d59afd-fedf-4dad-a2f3-bba3e7eabe5c | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_06f90924-1e5d-474b-ba1f-65c4b5caf36a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bf1cb9b0-ce8c-44e7-bb1c-52ad1299acf8 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.0.cs | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.cmdline | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.out | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.err | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.dll | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp | desired_access = FILE_READ_DATA, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, FILE_FLAG_OVERLAPPED, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create Pipe | \device\namedpipe\pshost.131860638084425712.2692.defaultappdomain.powershell | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\wldp.dll | type = file_attributes |
|
92 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\s3u0ysf4.nb4.ps1 | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\jhygy0la.x1g.psm1 | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData | type = file_attributes |
|
4 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local | type = file_attributes |
|
4 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\7ZipSfx.000 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\7ZipSfx.000\bin | type = file_attributes |
|
6 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Oracle\Java\javapath | type = file_attributes |
|
32 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
8 | |
| Get Info | C:\Windows\System32\Wbem | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\WindowsPowerShell\Modules | type = file_attributes |
|
6 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules | type = file_attributes |
|
5 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ | type = file_attributes |
|
4 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Appx | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache\BranchCache.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\CimCmdlets | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\DirectAccessClientComponents | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\International | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\ISE | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Kds | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psm1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.cdxml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.xaml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.dll | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psm1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc\MsDtc.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter\NetAdapter.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetConnection | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetConnection\NetConnection.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetEventPacketCapture | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetLbfo | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetLbfo\NetLbfo.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetNat\NetNat.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetQos | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetQos\NetQos.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetSecurity | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetSecurity\NetSecurity.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetSwitchTeam | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetworkConnectivityStatus | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetworkTransition | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PKI | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PKI\PKI.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PnpDevice | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PnpDevice\PnpDevice.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement\PrintManagement.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\ScheduledTasks | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\SecureBoot | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\SecureBoot\SecureBoot.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Storage | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Storage\Storage.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\TLS | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\TLS\TLS.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\TroubleshootingPack | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\TrustedPlatformModule | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\VpnClient | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\VpnClient\VpnClient.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Wdac\Wdac.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\WindowsDeveloperLicense | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\WindowsErrorReporting | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\WindowsUpdate | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Modules.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Modules.psm1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Modules.cdxml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Modules.xaml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Modules.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\1.0.0.0.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\1.0.0.0.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\1.0.0.0.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\1.0.0.0.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\1.0.0.0.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\PackageManagement.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\PackageManagement.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\Pester.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\Pester.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\Pester.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\Pester.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\Pester.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Appx | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BranchCache | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\International | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Kds | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
4 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85525a38-be22-4966-b0fc-b808e4124a0f | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1d59afd-fedf-4dad-a2f3-bba3e7eabe5c | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_06f90924-1e5d-474b-ba1f-65c4b5caf36a | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bf1cb9b0-ce8c-44e7-bb1c-52ad1299acf8 | type = file_type |
|
2 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
3 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | type = file_type |
|
2 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
2 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_attributes |
|
3 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_type |
|
4 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt | type = file_attributes |
|
121 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | type = file_attributes |
|
8 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | type = file_type |
|
4 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.0.cs | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.dll | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.cmdline | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.out | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.err | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.dll | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.dll | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.pdb | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
2 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
54 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 719 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml | size = 4096, size_out = 2838 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml | size = 234, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
36 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 1199 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 849, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 3065 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 7, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
33 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | size = 4096, size_out = 4096 |
|
54 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | size = 4096, size_out = 1337 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | size = 711, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\PackageManagement.psd1 | size = 4096, size_out = 1427 |
|
1 | |
| Read | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\PackageManagement.psd1 | size = 621, size_out = 0 |
|
1 | |
| Read | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.0\PackageManagement.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 1509 |
|
1 | |
| Read | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 539, size_out = 0 |
|
1 | |
| Read | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 4096 |
|
8 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 3215 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 1921 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85525a38-be22-4966-b0fc-b808e4124a0f | size = 3, size_out = 3 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85525a38-be22-4966-b0fc-b808e4124a0f | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1d59afd-fedf-4dad-a2f3-bba3e7eabe5c | size = 4096, size_out = 2418 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_06f90924-1e5d-474b-ba1f-65c4b5caf36a | size = 4096, size_out = 341 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bf1cb9b0-ce8c-44e7-bb1c-52ad1299acf8 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | size = 4096, size_out = 2389 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | size = 683, size_out = 0 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 2975 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 97, size_out = 0 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt | size = 4096, size_out = 1372 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | size = 4096, size_out = 3694 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | size = 402, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307ev.5pcbx.ps1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt | size = 676, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.dll | size = 4096, size_out = 3584 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\ps.jo7307fl.vi3yv.cmd.txt | size = 4096, size_out = 0 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 0 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\s3u0ysf4.nb4.ps1 | size = 1 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\jhygy0la.x1g.psm1 | size = 1 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 1921 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 0 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.0.cs | size = 496 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.cmdline | size = 365 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.out | size = 485 |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\s3u0ysf4.nb4.ps1 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\jhygy0la.x1g.psm1 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.dll | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.pdb | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.tmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.err | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.cmdline | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.out | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.0.cs | - |
|
1 |
Registry (393)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Diagnostics-Performance/Operational | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Diagnostics-Performance/Operational\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Diagnostics-Performance/Operational | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Diagnostics-Performance/Operational | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
84 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging | - |
|
1 | |
| Read Value | - | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = TZI, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = FirstEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = FirstEntry, data = 2007, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = LastEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = LastEntry, data = 2008, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = 2007, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = 2008, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Display, data = @tzres.dll,-670, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Std, data = @tzres.dll,-672, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Dlt, data = @tzres.dll,-671, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
84 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
3 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.cmdline" | os_pid = 0xe60, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\en-US\tzres.dll.mui | base_address = 0x590001 |
|
3 | |
| Get Filename | - | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | - | class_name = HTML Application Host Window Class |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_CODEPAGE, result_out = 437 |
|
1 |
System (903)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5 milliseconds (0.005 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
706 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
3 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
83 | |
| Get Info | type = Hardware Information |
|
110 |
Mutex (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-1462094071-1423818996-289466292-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-1462094071-1423818996-289466292-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-1462094071-1423818996-289466292-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-1462094071-1423818996-289466292-1000 |
|
1 |
Environment (56)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
24 | |
| Get Environment String | name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Threading.OverlappedData_Disabled |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Threading.OverlappedData_MinCount |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\CIiHmnxMn6Ps |
|
2 | |
| Get Environment String | name = PSModuleAutoLoadingPreference |
|
9 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Users\CIiHmnxMn6Ps\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
3 | |
| Get Environment String | name = PSDisableModuleAutoloadingCacheMaintenance |
|
1 | |
| Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
3 | |
| Get Environment String | name = PSExecutionPolicyPreference, result_out = Bypass |
|
1 | |
| Get Environment String | - |
|
1 | |
| Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 | |
| Set Environment String | name = PathEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\CIiHmnxMn6Ps\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Process #24: netsh.exe
62
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\netsh.exe |
| Command Line | netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:44, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9d4 |
| Parent PID | 0x744 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A64
0x
A08
0x
85C
0x
84
0x
C60
0x
658
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00efffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f14fff | Private Memory | rw |
|
|
|
- |
| netsh.exe.mui | 0x00f10000 | 0x00f14fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | r |
|
|
|
- |
| netsh.exe | 0x010a0000 | 0x010bdfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x050d0000 | 0x0518dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x051d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x05230000 | 0x05259fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x05230fff | Private Memory | rw |
|
|
|
- |
| mfc42u.dll.mui | 0x05240000 | 0x05247fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x05253fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000053f0000 | 0x053f0000 | 0x053f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005400000 | 0x05400000 | 0x05401fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x0550ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005510000 | 0x05510000 | 0x0560ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005610000 | 0x05610000 | 0x0570ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005710000 | 0x05710000 | 0x05897fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000058a0000 | 0x058a0000 | 0x05a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005a30000 | 0x05a30000 | 0x06e2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006e30000 | 0x06e30000 | 0x06e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e70000 | 0x06e70000 | 0x06f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f70000 | 0x06f70000 | 0x0700ffff | Private Memory | rw |
|
|
|
- |
| fwcfg.dll.mui | 0x06f70000 | 0x06f80fff | Memory Mapped File | r |
|
|
|
- |
| p2pnetsh.dll.mui | 0x06f90000 | 0x06f99fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006fa0000 | 0x06fa0000 | 0x06fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007000000 | 0x07000000 | 0x0700ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007010000 | 0x07010000 | 0x0710ffff | Private Memory | rw |
|
|
|
- |
| authfwcfg.dll.mui | 0x07110000 | 0x0713ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000007140000 | 0x07140000 | 0x0714ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x07150000 | 0x07486fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000074e0000 | 0x074e0000 | 0x075dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x6cce0000 | 0x6ccfdfff | Memory Mapped File | rwx |
|
|
|
- |
| wcmapi.dll | 0x6cd00000 | 0x6cd19fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x6cd20000 | 0x6cd28fff | Memory Mapped File | rwx |
|
|
|
- |
| peerdistsh.dll | 0x6cd30000 | 0x6cd8afff | Memory Mapped File | rwx |
|
|
|
- |
| wshelper.dll | 0x6cd90000 | 0x6cd97fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x6cda0000 | 0x6cdeafff | Memory Mapped File | rwx |
|
|
|
- |
| wifidisplay.dll | 0x6cdf0000 | 0x6ce17fff | Memory Mapped File | rwx |
|
|
|
- |
| wlancfg.dll | 0x6ce20000 | 0x6ce5cfff | Memory Mapped File | rwx |
|
|
|
- |
| whhelper.dll | 0x6ce60000 | 0x6ce66fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcnsh.dll | 0x6ce70000 | 0x6ce7afff | Memory Mapped File | rwx |
|
|
|
- |
| p2p.dll | 0x6ce80000 | 0x6ceaffff | Memory Mapped File | rwx |
|
|
|
- |
| p2pnetsh.dll | 0x6ceb0000 | 0x6cee0fff | Memory Mapped File | rwx |
|
|
|
- |
| nshwfp.dll | 0x6cef0000 | 0x6cf80fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6e1c0000 | 0x6e1f7fff | Memory Mapped File | rwx |
|
|
|
- |
| dot3cfg.dll | 0x6e8b0000 | 0x6e8c1fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x6e8d0000 | 0x6e8e2fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x6e8f0000 | 0x6e903fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcmonitor.dll | 0x6e910000 | 0x6e916fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x6e920000 | 0x6e941fff | Memory Mapped File | rwx |
|
|
|
- |
| winipsec.dll | 0x6e950000 | 0x6e963fff | Memory Mapped File | rwx |
|
|
|
- |
| polstore.dll | 0x6e970000 | 0x6e9bafff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6e9c0000 | 0x6e9fafff | Memory Mapped File | rwx |
|
|
|
- |
| nshipsec.dll | 0x6ea00000 | 0x6ea62fff | Memory Mapped File | rwx |
|
|
|
- |
| httpapi.dll | 0x6ea70000 | 0x6ea79fff | Memory Mapped File | rwx |
|
|
|
- |
| nshhttp.dll | 0x6ea80000 | 0x6ea8afff | Memory Mapped File | rwx |
|
|
|
- |
| netiohlp.dll | 0x6ea90000 | 0x6eabefff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x6eac0000 | 0x6ead2fff | Memory Mapped File | rwx |
|
|
|
- |
| netshell.dll | 0x6eae0000 | 0x6ed71fff | Memory Mapped File | rwx |
|
|
|
- |
| hnetmon.dll | 0x6ed80000 | 0x6ed87fff | Memory Mapped File | rwx |
|
|
|
- |
| fwcfg.dll | 0x6ed90000 | 0x6ed9efff | Memory Mapped File | rwx |
|
|
|
- |
| eappprxy.dll | 0x6eda0000 | 0x6edaffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x6edb0000 | 0x6ee14fff | Memory Mapped File | rwx |
|
|
|
- |
| onex.dll | 0x6ef20000 | 0x6ef59fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ef60000 | 0x6efa8fff | Memory Mapped File | rwx |
|
|
|
- |
| dot3api.dll | 0x6efb0000 | 0x6efc8fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x6f050000 | 0x6f07cfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpolicyiomgr.dll | 0x6f0b0000 | 0x6f0dbfff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x6f0e0000 | 0x6f13cfff | Memory Mapped File | rwx |
|
|
|
- |
| authfwcfg.dll | 0x6f210000 | 0x6f26bfff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x6f2d0000 | 0x6f34afff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x6f350000 | 0x6f372fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x6f380000 | 0x6f423fff | Memory Mapped File | rwx |
|
|
|
- |
| rasmontr.dll | 0x6f430000 | 0x6f47ffff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x71000000 | 0x71007fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x71030000 | 0x710c8fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x710d0000 | 0x710e7fff | Memory Mapped File | rwx |
|
|
|
- |
| mfc42u.dll | 0x710f0000 | 0x71221fff | Memory Mapped File | rwx |
|
|
|
- |
| ifmon.dll | 0x714c0000 | 0x714cafff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x71960000 | 0x719adfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71b50000 | 0x71bd3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71c00000 | 0x71c4dfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71c60000 | 0x71ca5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x71d10000 | 0x71d17fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d20000 | 0x71d4ffff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x71d70000 | 0x71e16fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73740000 | 0x73760fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75350000 | 0x753a2fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007e5dd000 | 0x7e5dd000 | 0x7e5dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007e5e0000 | 0x7e5e0000 | 0x7e6dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6e0000 | 0x7e6e0000 | 0x7e702fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e703000 | 0x7e703000 | 0x7e705fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e706000 | 0x7e706000 | 0x7e706fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e708000 | 0x7e708000 | 0x7e70afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e70b000 | 0x7e70b000 | 0x7e70dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e70e000 | 0x7e70e000 | 0x7e70efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 2 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 42 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
1 |
Registry (19)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 |
Module (37)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-appmodel-runtime-l1-1-0.dll | base_address = 0x77c30000 |
|
1 | |
| Load | IFMON.DLL | base_address = 0x714c0000 |
|
1 | |
| Load | RASMONTR.DLL | base_address = 0x6f430000 |
|
1 | |
| Load | AUTHFWCFG.DLL | base_address = 0x6f210000 |
|
1 | |
| Load | DHCPCMONITOR.DLL | base_address = 0x6e910000 |
|
1 | |
| Load | DOT3CFG.DLL | base_address = 0x6e8b0000 |
|
1 | |
| Load | FWCFG.DLL | base_address = 0x6ed90000 |
|
1 | |
| Load | HNETMON.DLL | base_address = 0x6ed80000 |
|
1 | |
| Load | NETIOHLP.DLL | base_address = 0x6ea90000 |
|
1 | |
| Load | NSHHTTP.DLL | base_address = 0x6ea80000 |
|
1 | |
| Load | NSHIPSEC.DLL | base_address = 0x6ea00000 |
|
1 | |
| Load | NSHWFP.DLL | base_address = 0x6cef0000 |
|
1 | |
| Load | P2PNETSH.DLL | base_address = 0x6ceb0000 |
|
1 | |
| Load | RPCNSH.DLL | base_address = 0x6ce70000 |
|
1 | |
| Load | WHHELPER.DLL | base_address = 0x6ce60000 |
|
1 | |
| Load | WLANCFG.DLL | base_address = 0x6ce20000 |
|
1 | |
| Load | WSHELPER.DLL | base_address = 0x6cd90000 |
|
1 | |
| Load | PEERDISTSH.DLL | base_address = 0x6cd30000 |
|
1 | |
| Get Handle | c:\windows\syswow64\netsh.exe | base_address = 0x10a0000 |
|
2 | |
| Get Address | c:\windows\syswow64\ifmon.dll | function = InitHelperDll, address_out = 0x714c1ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\rasmontr.dll | function = InitHelperDll, address_out = 0x6f453f80 |
|
1 | |
| Get Address | c:\windows\syswow64\authfwcfg.dll | function = InitHelperDll, address_out = 0x6f213c40 |
|
1 | |
| Get Address | c:\windows\syswow64\dhcpcmonitor.dll | function = InitHelperDll, address_out = 0x6e911a10 |
|
1 | |
| Get Address | c:\windows\syswow64\dot3cfg.dll | function = InitHelperDll, address_out = 0x6e8b3aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\fwcfg.dll | function = InitHelperDll, address_out = 0x6ed92290 |
|
1 | |
| Get Address | c:\windows\syswow64\hnetmon.dll | function = InitHelperDll, address_out = 0x6ed824b0 |
|
1 | |
| Get Address | c:\windows\syswow64\netiohlp.dll | function = InitHelperDll, address_out = 0x6eaa69d0 |
|
1 | |
| Get Address | c:\windows\syswow64\nshhttp.dll | function = InitHelperDll, address_out = 0x6ea81b90 |
|
1 | |
| Get Address | c:\windows\syswow64\nshipsec.dll | function = InitHelperDll, address_out = 0x6ea03910 |
|
1 | |
| Get Address | c:\windows\syswow64\nshwfp.dll | function = InitHelperDll, address_out = 0x6cf43320 |
|
1 | |
| Get Address | c:\windows\syswow64\p2pnetsh.dll | function = InitHelperDll, address_out = 0x6ceb58d0 |
|
1 | |
| Get Address | c:\windows\syswow64\rpcnsh.dll | function = InitHelperDll, address_out = 0x6ce72a80 |
|
1 | |
| Get Address | c:\windows\syswow64\whhelper.dll | function = InitHelperDll, address_out = 0x6ce617b0 |
|
1 | |
| Get Address | c:\windows\syswow64\wlancfg.dll | function = InitHelperDll, address_out = 0x6ce29f00 |
|
1 | |
| Get Address | c:\windows\syswow64\wshelper.dll | function = InitHelperDll, address_out = 0x6cd916a0 |
|
1 | |
| Get Address | c:\windows\syswow64\peerdistsh.dll | function = InitHelperDll, address_out = 0x6cd4e4d0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Process #26: cmd.exe
69
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\7ZipSfx.000\bin\tools\aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\run_command_70498.txt"" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:48, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xd18 (c:\windows\syswow64\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C48
0x
7A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00350000 | 0x0039ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x0439ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000043a0000 | 0x043a0000 | 0x043bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000043a0000 | 0x043a0000 | 0x043affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000043b0000 | 0x043b0000 | 0x043b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x043c4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x043c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000043d0000 | 0x043d0000 | 0x043e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000043f0000 | 0x043f0000 | 0x0442ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x0452ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004530000 | 0x04530000 | 0x04533fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004540000 | 0x04540000 | 0x04540fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x04551fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04560000 | 0x0461dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004620000 | 0x04620000 | 0x0462ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x0466ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x0479ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0489ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x049f0000 | 0x04d26fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb85000 | 0x7eb85000 | 0x7eb85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb87000 | 0x7eb87000 | 0x7eb87fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8a000 | 0x7eb8a000 | 0x7eb8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8d000 | 0x7eb8d000 | 0x7eb8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\run_command_70498.txt | 0.01 KB |
MD5:
47a22a7a342fd09177c62fcb8054933c
SHA1: d2b7928a34eedb04acc61c3a0e01d3138295e855 SHA256: 51e6af14fa1e9032300dbf76a85cb8561e523e89c363cec09cdc2128801a191d SSDeep: 3:6Nn:6N |
|
|
Host Behavior
File (20)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\temp\run_command_70498.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
11 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\netsh.exe | os_pid = 0xb4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x350000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = ^errorLevel |
|
1 | |
| Get Environment String | name = > "C |
|
1 | |
| Get Environment String | name = errorLevel |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #28: netsh.exe
15
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\netsh.exe |
| Command Line | netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\7ZipSfx.000\bin\tools\aria2c.exe" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:48, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb4c |
| Parent PID | 0xb58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6A8
0x
DFC
0x
C6C
0x
C70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a90000 | 0x00a90000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab4fff | Private Memory | rw |
|
|
|
- |
| netsh.exe.mui | 0x00ab0000 | 0x00ab4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00c50000 | 0x00c79fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c60fff | Private Memory | rw |
|
|
|
- |
| mfc42u.dll.mui | 0x00c70000 | 0x00c77fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c90000 | 0x00d4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x01031fff | Pagefile Backed Memory | r |
|
|
|
- |
| fwcfg.dll.mui | 0x01040000 | 0x01050fff | Memory Mapped File | r |
|
|
|
- |
| p2pnetsh.dll.mui | 0x01060000 | 0x01069fff | Memory Mapped File | r |
|
|
|
- |
| netsh.exe | 0x010a0000 | 0x010bdfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x051dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000051e0000 | 0x051e0000 | 0x05367fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005370000 | 0x05370000 | 0x054f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005500000 | 0x05500000 | 0x068fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006980000 | 0x06980000 | 0x0698ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a70000 | 0x06a70000 | 0x06a7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x6bc10000 | 0x6bc2dfff | Memory Mapped File | rwx |
|
|
|
- |
| wcmapi.dll | 0x6bc30000 | 0x6bc49fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x6bc50000 | 0x6bc58fff | Memory Mapped File | rwx |
|
|
|
- |
| peerdistsh.dll | 0x6bc60000 | 0x6bcbafff | Memory Mapped File | rwx |
|
|
|
- |
| wshelper.dll | 0x6bcc0000 | 0x6bcc7fff | Memory Mapped File | rwx |
|
|
|
- |
| wifidisplay.dll | 0x6bcd0000 | 0x6bcf7fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x6bd00000 | 0x6bd4afff | Memory Mapped File | rwx |
|
|
|
- |
| wlancfg.dll | 0x6bd50000 | 0x6bd8cfff | Memory Mapped File | rwx |
|
|
|
- |
| whhelper.dll | 0x6bd90000 | 0x6bd96fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcnsh.dll | 0x6bda0000 | 0x6bdaafff | Memory Mapped File | rwx |
|
|
|
- |
| p2p.dll | 0x6bdb0000 | 0x6bddffff | Memory Mapped File | rwx |
|
|
|
- |
| p2pnetsh.dll | 0x6c500000 | 0x6c530fff | Memory Mapped File | rwx |
|
|
|
- |
| nshwfp.dll | 0x6c540000 | 0x6c5d0fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6e1c0000 | 0x6e1f7fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x6e8b0000 | 0x6e8d1fff | Memory Mapped File | rwx |
|
|
|
- |
| winipsec.dll | 0x6e8e0000 | 0x6e8f3fff | Memory Mapped File | rwx |
|
|
|
- |
| polstore.dll | 0x6e900000 | 0x6e94afff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6e950000 | 0x6e98afff | Memory Mapped File | rwx |
|
|
|
- |
| nshipsec.dll | 0x6e990000 | 0x6e9f2fff | Memory Mapped File | rwx |
|
|
|
- |
| httpapi.dll | 0x6ea00000 | 0x6ea09fff | Memory Mapped File | rwx |
|
|
|
- |
| nshhttp.dll | 0x6ea10000 | 0x6ea1afff | Memory Mapped File | rwx |
|
|
|
- |
| netiohlp.dll | 0x6ea20000 | 0x6ea4efff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x6ea50000 | 0x6ea62fff | Memory Mapped File | rwx |
|
|
|
- |
| netshell.dll | 0x6ea70000 | 0x6ed01fff | Memory Mapped File | rwx |
|
|
|
- |
| hnetmon.dll | 0x6ed10000 | 0x6ed17fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x6ed20000 | 0x6ed84fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ed90000 | 0x6edd8fff | Memory Mapped File | rwx |
|
|
|
- |
| onex.dll | 0x6ede0000 | 0x6ee19fff | Memory Mapped File | rwx |
|
|
|
- |
| fwcfg.dll | 0x6ef20000 | 0x6ef2efff | Memory Mapped File | rwx |
|
|
|
- |
| eappprxy.dll | 0x6ef30000 | 0x6ef3ffff | Memory Mapped File | rwx |
|
|
|
- |
| dot3api.dll | 0x6ef40000 | 0x6ef58fff | Memory Mapped File | rwx |
|
|
|
- |
| dot3cfg.dll | 0x6ef60000 | 0x6ef71fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x6ef80000 | 0x6ef92fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x6efa0000 | 0x6efb3fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcmonitor.dll | 0x6efc0000 | 0x6efc6fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x6f050000 | 0x6f07cfff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x6f0b0000 | 0x6f10cfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpolicyiomgr.dll | 0x6f110000 | 0x6f13bfff | Memory Mapped File | rwx |
|
|
|
- |
| authfwcfg.dll | 0x6f210000 | 0x6f26bfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x6f2d0000 | 0x6f2f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x6f300000 | 0x6f3a3fff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x6f3b0000 | 0x6f42afff | Memory Mapped File | rwx |
|
|
|
- |
| rasmontr.dll | 0x6f430000 | 0x6f47ffff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x71000000 | 0x71007fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x71030000 | 0x710c8fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x710d0000 | 0x710e7fff | Memory Mapped File | rwx |
|
|
|
- |
| mfc42u.dll | 0x710f0000 | 0x71221fff | Memory Mapped File | rwx |
|
|
|
- |
| ifmon.dll | 0x714c0000 | 0x714cafff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x71960000 | 0x719adfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71b50000 | 0x71bd3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71c00000 | 0x71c4dfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71c60000 | 0x71ca5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x71d10000 | 0x71d17fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d20000 | 0x71d4ffff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x71d70000 | 0x71e16fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73740000 | 0x73760fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73970000 | 0x73988fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75350000 | 0x753a2fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea20000 | 0x7ea20000 | 0x7eb1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb20000 | 0x7eb20000 | 0x7eb42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb44000 | 0x7eb44000 | 0x7eb44fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb48000 | 0x7eb48000 | 0x7eb4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb4b000 | 0x7eb4b000 | 0x7eb4bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb4d000 | 0x7eb4d000 | 0x7eb4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Registry (6)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-appmodel-runtime-l1-1-0.dll | base_address = 0x77c30000 |
|
1 | |
| Load | IFMON.DLL | base_address = 0x714c0000 |
|
1 | |
| Load | RASMONTR.DLL | base_address = 0x6f430000 |
|
1 | |
| Load | AUTHFWCFG.DLL | base_address = 0x6f210000 |
|
1 | |
| Get Handle | c:\windows\syswow64\netsh.exe | base_address = 0x10a0000 |
|
2 | |
| Get Address | c:\windows\syswow64\ifmon.dll | function = InitHelperDll, address_out = 0x714c1ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\rasmontr.dll | function = InitHelperDll, address_out = 0x6f453f80 |
|
1 | |
| Get Address | c:\windows\syswow64\authfwcfg.dll | function = InitHelperDll, address_out = 0x6f213c40 |
|
1 |
Process #30: services.exe
0
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:51, Reason: Created Daemon |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:20 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e8 |
| Parent PID | 0x198 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
354
0x
324
0x
294
0x
260
0x
238
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005df6210000 | 0x5df6210000 | 0x5df621ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| services.exe.mui | 0x5df6220000 | 0x5df6224fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005df6230000 | 0x5df6230000 | 0x5df6243fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005df62d0000 | 0x5df62d0000 | 0x5df62d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005df62e0000 | 0x5df62e0000 | 0x5df62e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x5df62f0000 | 0x5df63adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005df6430000 | 0x5df6430000 | 0x5df6430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6460000 | 0x5df6460000 | 0x5df6466fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6470000 | 0x5df6470000 | 0x5df64effff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6500000 | 0x5df6500000 | 0x5df65fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df66e0000 | 0x5df66e0000 | 0x5df66e6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6700000 | 0x5df6700000 | 0x5df67fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6800000 | 0x5df6800000 | 0x5df687ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6880000 | 0x5df6880000 | 0x5df68fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6900000 | 0x5df6900000 | 0x5df697ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6b00000 | 0x5df6b00000 | 0x5df6b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6c00000 | 0x5df6c00000 | 0x5df6cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff8d0000 | 0x7df5ff8d0000 | 0x7ff5ff8cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff79a786000 | 0x7ff79a786000 | 0x7ff79a787fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a78e000 | 0x7ff79a78e000 | 0x7ff79a78ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff79a790000 | 0x7ff79a790000 | 0x7ff79a88ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff79a890000 | 0x7ff79a890000 | 0x7ff79a8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff79a8b3000 | 0x7ff79a8b3000 | 0x7ff79a8b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8b5000 | 0x7ff79a8b5000 | 0x7ff79a8b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8b7000 | 0x7ff79a8b7000 | 0x7ff79a8b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8ba000 | 0x7ff79a8ba000 | 0x7ff79a8bbfff | Private Memory | rw |
|
|
|
- |
| services.exe | 0x7ff79a960000 | 0x7ff79a9cffff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| authz.dll | 0x7ff8e9ec0000 | 0x7ff8e9f07fff | Memory Mapped File | rwx |
|
|
|
- |
| scesrv.dll | 0x7ff8e9f10000 | 0x7ff8e9f9dfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| spinf.dll | 0x7ff8eab80000 | 0x7ff8eab9afff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ff8eaba0000 | 0x7ff8eabb9fff | Memory Mapped File | rwx |
|
|
|
- |
| dabapi.dll | 0x7ff8eabc0000 | 0x7ff8eabc7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #43: sppsvc.exe
33
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd74 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A94
0x
B44
0x
E48
0x
D38
0x
D80
0x
F4
0x
168
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000026dd4d0000 | 0x26dd4d0000 | 0x26dd4d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000026dd4e0000 | 0x26dd4e0000 | 0x26dd4effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000026dd4f0000 | 0x26dd4f0000 | 0x26dd503fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000026dd510000 | 0x26dd510000 | 0x26dd58ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x26dd590000 | 0x26dd64dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000026dd650000 | 0x26dd650000 | 0x26dd6cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026dd6d0000 | 0x26dd6d0000 | 0x26dd6d6fff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe.mui | 0x26dd6e0000 | 0x26dd6e5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000026dd6f0000 | 0x26dd6f0000 | 0x26dd6f0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000026dd700000 | 0x26dd700000 | 0x26dd700fff | Private Memory | rw |
|
|
|
- |
| private_0x00000026dd710000 | 0x26dd710000 | 0x26dd71ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026dd720000 | 0x26dd720000 | 0x26dd72ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026dd730000 | 0x26dd730000 | 0x26dd73ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026dd740000 | 0x26dd740000 | 0x26dd74ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026dd750000 | 0x26dd750000 | 0x26dd84ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000026dd850000 | 0x26dd850000 | 0x26dd9d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000026dda40000 | 0x26dda40000 | 0x26dda4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000026dda50000 | 0x26dda50000 | 0x26ddbd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000026ddbe0000 | 0x26ddbe0000 | 0x26ddc9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000026ddca0000 | 0x26ddca0000 | 0x26ddd1ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026ddd20000 | 0x26ddd20000 | 0x26dde1ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026dde20000 | 0x26dde20000 | 0x26dde9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x26ddea0000 | 0x26de1d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000026de1e0000 | 0x26de1e0000 | 0x26de25ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026de260000 | 0x26de260000 | 0x26de35ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026de360000 | 0x26de360000 | 0x26de3dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026de3e0000 | 0x26de3e0000 | 0x26de4dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000026de4e0000 | 0x26de4e0000 | 0x26de5e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00000026de5f0000 | 0x26de5f0000 | 0x26de700fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff8e0000 | 0x7df5ff8e0000 | 0x7ff5ff8dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6fca90000 | 0x7ff6fca90000 | 0x7ff6fcb8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6fcb90000 | 0x7ff6fcb90000 | 0x7ff6fcbb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6fcbb3000 | 0x7ff6fcbb3000 | 0x7ff6fcbb4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fcbb5000 | 0x7ff6fcbb5000 | 0x7ff6fcbb6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fcbb7000 | 0x7ff6fcbb7000 | 0x7ff6fcbb8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fcbb9000 | 0x7ff6fcbb9000 | 0x7ff6fcbbafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fcbbb000 | 0x7ff6fcbbb000 | 0x7ff6fcbbcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fcbbd000 | 0x7ff6fcbbd000 | 0x7ff6fcbbefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fcbbf000 | 0x7ff6fcbbf000 | 0x7ff6fcbbffff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe | 0x7ff6fd150000 | 0x7ff6fd77dfff | Memory Mapped File | rwx |
|
|
|
- |
| sppobjs.dll | 0x7ff8d3ca0000 | 0x7ff8d3e17fff | Memory Mapped File | rwx |
|
|
|
- |
| clipc.dll | 0x7ff8d4960000 | 0x7ff8d4975fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptxml.dll | 0x7ff8d4980000 | 0x7ff8d49a1fff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ff8d5540000 | 0x7ff8d56bafff | Memory Mapped File | rwx |
|
|
|
- |
| wwapi.dll | 0x7ff8dcc70000 | 0x7ff8dcc85fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7ff8e12e0000 | 0x7ff8e12f6fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| sppwinob.dll | 0x7ff8e65a0000 | 0x7ff8e6639fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ff8e7cd0000 | 0x7ff8e7ce5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ff8e84d0000 | 0x7ff8e84d9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Windows\System32\spp\store\2.0\data.dat.tmp | 30.89 KB |
MD5:
ef00858468ebc5558c7f6b03f17732f8
SHA1: ab1b6706caa5718e907ef9417a9a87d8cd37de9c SHA256: 92c2765e1a33ecbce9ce0fdff4ce60826593a010928314160d24e961b2eecb8f SSDeep: 768:YyvVT6K2/COteJqmymNq+mi4+rGewhZqILYMfcZTu4h:NAjTiNq+mi2vhZbLYKch |
|
|
| C:\Windows\System32\spp\store\2.0\data.dat.tmp | 30.62 KB |
MD5:
2cc585f21af372df194a2a69e59665d2
SHA1: 8eb5be8b4c385f6bfbcbff6e59f26132077cb4fc SHA256: f163b6841a4017e701ac346c4459d7c5f690bb535e7fa87050f4943ab511a53f SSDeep: 768:JxuBpq58otSksm4gL+oDQO7B58YfbUgX/0XR7:Jx/58oTjBLN8yfxXE7 |
|
|
| C:\Windows\System32\spp\store\2.0\data.dat.tmp | 30.94 KB |
MD5:
0cce2ad949419c2c325b040af21ab737
SHA1: cf2dedb42a6d92e6005aa7bf604c73f7967865a3 SHA256: 0e7d50439e970d437e2cfbe85db6434c95c371f9ae2131f2e14efabd991a956a SSDeep: 768:1uYqQolVFW5h7PNI90RchpdrxutLaPoROaPgtUUYGG+XEpI8j4:1rVbNI948pd8oa4tUUfGXnU |
|
|
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\spp\store\2.0\data.dat.tmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
3 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.bak | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.tmp | type = file_attributes |
|
3 | |
| Move | C:\Windows\System32\spp\store\2.0\data.dat.bak | source_filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_WRITE_THROUGH |
|
3 | |
| Move | C:\Windows\System32\spp\store\2.0\data.dat | source_filename = C:\Windows\System32\spp\store\2.0\data.dat.bak, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_WRITE_THROUGH |
|
3 | |
| Write | C:\Windows\System32\spp\store\2.0\data.dat.tmp | size = 31360 |
|
1 | |
| Write | C:\Windows\System32\spp\store\2.0\data.dat.tmp | size = 31632 |
|
1 | |
| Write | C:\Windows\System32\spp\store\2.0\data.dat.tmp | size = 31680 |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\wwapi.dll | base_address = 0x7ff8dcc70000 |
|
1 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff8ee380000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ff8ee4138a0 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanOpenHandle, address_out = 0x7ff8dcc71010 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanCloseHandle, address_out = 0x7ff8dcc74f40 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanEnumerateInterfaces, address_out = 0x7ff8dcc75bb0 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanQueryInterface, address_out = 0x7ff8dcc77150 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanFreeMemory, address_out = 0x7ff8dcc75d60 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 287796 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:31:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 299890 |
|
1 | |
| Get Time | type = Ticks, time = 299984 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-07 11:32:18 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 325375 |
|
1 | |
| Get Info | - |
|
1 |
Process #51: csc.exe
2
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\microsoft.net\framework\v4.0.30319\csc.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\22aputxk.cmdline" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:04:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:10, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe60 |
| Parent PID | 0xa84 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B68
0x
5D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000280000 | 0x00280000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x0028ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00293fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00513fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00531fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00540fff | Private Memory | rw |
|
|
|
- |
| res923a.tmp | 0x00550000 | 0x00550fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| cscui.dll | 0x005c0000 | 0x005f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00720000 | 0x007ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x00b67fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| system.core.dll | 0x00e70000 | 0x00fb1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| csc.exe | 0x01040000 | 0x0123ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001240000 | 0x01240000 | 0x0263ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02640000 | 0x02976fff | Memory Mapped File | r |
|
|
|
- |
| mscorlib.dll | 0x02980000 | 0x02ebbfff | Memory Mapped File | r |
|
|
|
- |
| system.dll | 0x02980000 | 0x02cd2fff | Memory Mapped File | r |
|
|
|
- |
| system.management.automation.dll | 0x02ce0000 | 0x03339fff | Memory Mapped File | r |
|
|
|
- |
| mscorlib.dll | 0x03340000 | 0x0387bfff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x6e200000 | 0x6e8a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorpehost.dll | 0x6e8b0000 | 0x6e8d0fff | Memory Mapped File | rwx |
|
|
|
- |
| alink.dll | 0x6e8e0000 | 0x6e8fefff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x6ee20000 | 0x6ef14fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x6efd0000 | 0x6f047fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x6f480000 | 0x6f4d8fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74400000 | 0x7442efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74430000 | 0x7444afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74450000 | 0x74462fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| imagehlp.dll | 0x767f0000 | 0x76808fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x773d0000 | 0x773d5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffff | Private Memory | - |
|
|
|
- |
| private_0x0000000080000000 | 0x80000000 | 0x8000ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000fef50000 | 0xfef50000 | 0xff04ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000ff050000 | 0xff050000 | 0xff072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000ff073000 | 0xff073000 | 0xff073fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff078000 | 0xff078000 | 0xff078fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff07a000 | 0xff07a000 | 0xff07cfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff07d000 | 0xff07d000 | 0xff07ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Enumerate Values | - | - |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Process #52: cvtres.exe
0
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\CIIHMN~1\AppData\Local\Temp\RES923A.tmp" "c:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\CSC28C44B7A20A047048B23B9B2E69AC862.TMP" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:10, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf0c |
| Parent PID | 0xe60 (c:\windows\microsoft.net\framework\v4.0.30319\csc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F10
0x
C44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001f0000 | 0x001f0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00203fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00215fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00530000 | 0x005edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| cvtres.exe | 0x00c50000 | 0x00c59fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x04c5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x6ee20000 | 0x6ef14fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000fee40000 | 0xfee40000 | 0xfef3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000fef40000 | 0xfef40000 | 0xfef62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000fef67000 | 0xfef67000 | 0xfef67fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fef68000 | 0xfef68000 | 0xfef6afff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fef6b000 | 0xfef6b000 | 0xfef6bfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fef6d000 | 0xfef6d000 | 0xfef6ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #54: driverpack-7za.exe
17
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\users\ciihmnxmn6ps\appdata\local\temp\7zipsfx.000\bin\tools\driverpack-7za.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\7ZipSfx.000\bin\Tools\driverpack-7za.exe" a "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\snapshots\DriverPack_Snapshot_20181107_223220.zip" "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DRPSu\diagnostics\*" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:04:36, Reason: Child Process |
| Unmonitor | End Time: 00:04:39, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd44 |
| Parent PID | 0xd18 (c:\windows\syswow64\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E38
0x
820
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00034fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00200fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| driverpack-7za.exe | 0x00400000 | 0x004a7fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x004b0000 | 0x0056dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000ffeb0000 | 0xffeb0000 | 0xfffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000fffb0000 | 0xfffb0000 | 0xfffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000fffd6000 | 0xfffd6000 | 0xfffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffd9000 | 0xfffd9000 | 0xfffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffdc000 | 0xfffdc000 | 0xfffdefff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffdf000 | 0xfffdf000 | 0xfffdffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_OUTPUT_HANDLE | - |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstStreamW, address_out = 0x74fa8bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextStreamW, address_out = 0x74fa8f00 |
|
1 |
User (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeRestorePrivilege, luid = 18 |
|
1 | |
| Lookup Privilege | privilege = SeCreateSymbolicLinkPrivilege, luid = 35 |
|
1 | |
| Lookup Privilege | privilege = SeSecurityPrivilege, luid = 8 |
|
2 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
2 |
Process #56: reg.exe
15
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | "C:\Windows\sysnative\reg.exe" query "HKLM\Software\mozilla.org\Mozilla" /v "CurrentVersion" |
| Initial Working Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\7ZipSfx.000\bin\ |
| Monitor | Start Time: 00:05:10, Reason: Child Process |
| Unmonitor | End Time: 00:05:11, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4a0 |
| Parent PID | 0xd18 (c:\windows\syswow64\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
440
0x
93C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007fbcd000 | 0x7fbcd000 | 0x7fbcdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d0db130000 | 0xd0db130000 | 0xd0db14ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d0db130000 | 0xd0db130000 | 0xd0db13ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d0db140000 | 0xd0db140000 | 0xd0db146fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d0db150000 | 0xd0db150000 | 0xd0db163fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d0db170000 | 0xd0db170000 | 0xd0db1effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d0db1f0000 | 0xd0db1f0000 | 0xd0db1f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d0db200000 | 0xd0db200000 | 0xd0db200fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d0db210000 | 0xd0db210000 | 0xd0db211fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd0db220000 | 0xd0db2ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d0db2e0000 | 0xd0db2e0000 | 0xd0db3dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d0db3e0000 | 0xd0db3e0000 | 0xd0db45ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d0db460000 | 0xd0db460000 | 0xd0db466fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0xd0db470000 | 0xd0db479fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d0db4d0000 | 0xd0db4d0000 | 0xd0db4dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d0db4e0000 | 0xd0db4e0000 | 0xd0db5dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xd0db5e0000 | 0xd0db916fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5fffe0000 | 0x7df5fffe0000 | 0x7ff5fffdffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff655520000 | 0x7ff655520000 | 0x7ff65561ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff655620000 | 0x7ff655620000 | 0x7ff655642fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff655647000 | 0x7ff655647000 | 0x7ff655647fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65564c000 | 0x7ff65564c000 | 0x7ff65564dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65564e000 | 0x7ff65564e000 | 0x7ff65564ffff | Private Memory | rw |
|
|
|
- |
| reg.exe | 0x7ff655e00000 | 0x7ff655e55fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_ERROR_HANDLE | - |
|
6 | |
| Write | STD_ERROR_HANDLE | size = 7 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 67 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\mozilla.org\Mozilla | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0x7ff655e00000 |
|
1 |
